Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Umer221
Staff
Staff

Created on ‎09-20-2023 09:58 AM Edited on ‎01-04-2026 10:40 PM By Community Manager

Article Id 274792

Technical Tip: Resolving inconsistency in connecting to smtp.office365.com on Port TCP 587 using Policy ID (ID number)

Description This article describes how to resolve the issue where the policy that should allow traffic to smtp.office365.com on port TCP 587 is not working consistently, resulting in periods where the connection is blocked and periods where it is allowed.
Scope FortiGate.
Solution

To solve this problem, the dynamic nature of the FQDN address of smtp.office365.com was identified as the root cause, which resolved to different addresses on FPMs and was addressed by increasing the cache TTL for the FQDN to 24 hours.

 

Here are the step-by-step instructions to carry out this solution:

  1. Verify the Policy: Follow the link to verify/create a policy (Configure a Policy):

Ensure Policy ID (Policy ID number) is correctly set up to allow traffic from the specific source to smtp.office365.com on port TCP 587. Port 587 is commonly used for SMTP (Simple Mail Transfer Protocol) for mail submission. It is designated for client-to-server communication, facilitating the sending of email messages to the mail server. It is technically possible to change the port number as long as the service/server communicating with it supports the port number change.

 

  1. Check DNS Settings: Follow the link to verify/create DNS (FortiGate DNS server:(

Confirm that DNS settings are correctly synchronized between the firewall and the server.

 

  1. Adjust Cache TTL: Follow the link to adjust Cache TTL (Configure TTL Value:(
  • Log in to the FortiGate firewall device.
  • Navigate to the relevant policy settings for FQDN objects by following the path 'Policy & Objects -> Addresses -> Create an FQDN Object if not already created'.
  • Locate the setting for smtp.office365.com.
  • Increase the cache TTL for smtp.office365.com to 24 hours (86400 seconds) to maintain a consistent address resolution. This setting can only be configured through CLI:

 

config firewall address
    edit "SMTP-Office"
        set type fqdn
        set fqdn "smtp.office365.com"

        set cache-ttl 86400
    next
end

 

  1. Test the Solution: After increasing the TTL, test the solution to ensure the connection to smtp.office365.com is now consistent.
  2. Alternative Solution: If the issue persists, remove the FQDN from the policy and configure the policy with a specific source IP address along with the SMTP service.
  3. Create an Internet Service Policy (ISDB) with the destination service as Microsoft Outbound Email, as shown in the following screenshot:


SMTP.png

 

Related article:

Technical Tip: How to identify port 587 is open for smtp.office365.com
4104
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.