Make sure to have a working WAN link to send out the email.
Do a test ping to the default mail server: notification.fortinet.net or fortinet-notifications.com
Since v7.4.4, the default email server has been changed from notification.fortinet.net to fortinet-notifications.com.
exe ping notification.fortinet.net PING notification.fortinet.net (208.91.114.151): 56 data bytes 64 bytes from 208.91.114.151: icmp_seq=0 ttl=41 time=196.1 ms 64 bytes from 208.91.114.151: icmp_seq=1 ttl=41 time=195.7 ms 64 bytes from 208.91.114.151: icmp_seq=2 ttl=41 time=195.9 ms 64 bytes from 208.91.114.151: icmp_seq=3 ttl=41 time=195.9 ms 64 bytes from 208.91.114.151: icmp_seq=4 ttl=41 time=195.3 ms
Then, check the existing configuration in FortiGate.
Below is an example of default settings:
get system email-server type : custom reply-to : server : notification.fortinet.net port : 465 source-ip : 0.0.0.0 source-ip6 : :: authenticate : disable validate-server : disable security : smtps ssl-min-proto-version: default interface-select-method: auto
In some cases, it is necessary to configure the interface manually:
set interface-select-method auto Set outgoing interface automatically. sdwan Set outgoing interface by SD-WAN or policy routing rules. specify Set outgoing interface manually.
When the custom email server is used on FortiGate to send the emails out from the FortiGate for purposes like FortiToken Activation Email or Email Alerts, the emails may not be received at the user side
Check the connection to the Email Server:
- Make sure FortiGate can reach the email server.
- Try to ping the email server to verify the connectivity.
exe ping <SMTP server IP>
- If the email server is beyond the IPsec tunnel, set the source IP in the email server settings of the FortiGate with the internal interface IP.
So that, FortiGate can reach the server over the tunnel.
config system email-server
...
set source-ip {ipv4-address}
...
end
Run the alert mail debugs:
- Once the connection to the server is successful, run the below alert email debugs to see if there are any errors.
diag debug reset diag debug enable diag debug console timestamp enable diag debug application alertmail -1
- After enabling the email, try to send the activation mail again or trigger a test mail.
diagnose log alertmail test
Note:
This test will send out the test mail to the email address that is configured in the alertmail setting ('conf alertmail setting').
If it is not configured, no emails will be sent out.
Refer to this article to configure it:
Technical Tip: How to configure alert email settings
Troubleshooting:
- If as per the debug, the 'send mail success' message appears and still do not receive the email, try to change the recipient email address to any public domain (Gmail or Yahoo).
- This is because sometimes spam filters are in place on the corporate email that block or archive the emails.
- Still, after making the change, emails are not received; make sure to have set the default-reply-to email in the email server settings.
If that is not set, the debugs will show 'send mail success' but mails will not be received.
config system email-server
set server "<Email server IP>"
set reply-to "admin@example.com"
If any failed are erroring the debugs, check for the below things:
- If the credentials entered for the SMTP server and port number are correct.
- Also verify the Protocol with the server as well (SMTP or SMTPS).
- Run a packet sniffer for the email server IP and see if there is bidirectional traffic.
diagnose sniffer packet any “host <server IP> and port <port no>” 4 0 l
If the issue still persists, collect all the debugs and the output of the above commands and submit them to the TAC ticket along with the configuration file of the FortiGate.
Then, disable debug:
diagnose debug disable diagnose debug reset
Save the output either download it via the CLI window or use the Putty tool to log them, to attach the debug logs to the case for TAC review.
Output of the Email Alert Debug
The debug below shows the important messages to check during the troubleshooting
diagnose debug reset
diagnose debug enable
diagnose debug console timestamp enable
diagnose debug application alertmail -1 Debug messages will be on for 30 minutes.
Fortigate#
2024-11-25 00:04:42 Arrived msg(type 8, 818 bytes):XXXXXX@gmail.com <-------- User's email. /data2/tmp/ftm_qr_FTKMOB4B64FDA57B.png <--- QR code sent in the email. FTM Activation on FortiGate <---- Message body (Beginning of the message) Welcome to FortiToken Mobile - One-Time-Password software token. Please visit https://docs.fortinet.com/ftoken.html for instructions on how to install your FortiToken Mobile application on your device and activate your token. You must use FortiToken Mobile version 2 or above to activate this token. Your Activation Code, which you will need to enter on your device later, is
"EEIJEOT7WMAVXDHV"
Alternatively, use the attached QR code image to activate your token with the "Scan Barcode" feature of the app. You must activate your token by: Thu Nov 28 00:04:42 2024 (GMT-5:00) Eastern Time (US & Canada), after which you will need to contact your system administrator to re-enable your activation.
FortiGate
2024-11-25 00:04:42 mail_info: from:notification.fortinet.net user:DoNotReply@notification.fortinet.net 2024-11-25 00:04:42 mail_info: reverse path:DoNotReply@notification.fortinet.net user name:DoNotReply <-------------- Message body (End of the the message). 2024-11-25 00:04:42 to[0]:XXXXXX@gmail.com 2024-11-25 00:04:42 <==_init_mail_info 2024-11-25 00:04:42 create session <-------- SMTP session. 2024-11-25 00:04:42 resolve notification.fortinet.net to 1 IP 2024-11-25 00:04:42 ==> send mail <------- FortiGate Sending the email. 2024-11-25 00:04:42 connecting to 208.91.114.151 port 465 2024-11-25 00:04:42 send mail 0xca410a0 session 0xca42460 2024-11-25 00:04:42 session_io_event: creating ssl structure for session 0xca42460 2024-11-25 00:04:42 ssl_init 2024-11-25 00:04:42 create_ssl_ctx 2024-11-25 00:04:42 create_ssl: 0x7f8106334000 2024-11-25 00:04:42 sessionn 0xca42460, SSL connected 2024-11-25 00:04:43 session: 0xca42460, rsp_state: greeting, code: 220 2024-11-25 00:04:43 session: 0xca42460, rsp_state: ehlo, code: 250 2024-11-25 00:04:43 session: 0xca42460, rsp_state: mail, code: 250 2024-11-25 00:04:43 session: 0xca42460, rsp_state: rcpt, code: 250 2024-11-25 00:04:43 session: 0xca42460, rsp_state: data, code: 354 2024-11-25 00:04:43 session: 0xca42460, rsp_state: data2, code: 250 2024-11-25 00:04:43 session: 0xca42460, rsp_state: quit, code: 221 2024-11-25 00:04:43 session finined <----- End of SMTP session 2024-11-25 00:04:43 _session_on_destroy 2024-11-25 00:04:43 <== send mail success, m = 0xca410a0 s = 0xca42460 <----- Email successfully sent to destination.
|