|
Make sure to have a working WAN link to send out the email.
Do a test ping to the default mail server: notification.fortinet.net
exe ping notification.fortinet.net
PING notification.fortinet.net (208.91.114.151): 56 data bytes
64 bytes from 208.91.114.151: icmp_seq=0 ttl=41 time=196.1 ms
64 bytes from 208.91.114.151: icmp_seq=1 ttl=41 time=195.7 ms
64 bytes from 208.91.114.151: icmp_seq=2 ttl=41 time=195.9 ms
64 bytes from 208.91.114.151: icmp_seq=3 ttl=41 time=195.9 ms
64 bytes from 208.91.114.151: icmp_seq=4 ttl=41 time=195.3 ms
Then, check the existing configuration in FortiGate.
Below is an example of default settings:
Fortigate# get system email-server
type : custom
reply-to :
server : notification.fortinet.net
port : 465
source-ip : 0.0.0.0
source-ip6 : ::
authenticate : disable
validate-server : disable
security : smtps
ssl-min-proto-version: default
interface-select-method: auto
In some cases, it is necessary to configure the interface manually:
Fortigate# set interface-select-method
auto Set outgoing interface automatically.
sdwan Set outgoing interface by SD-WAN or policy routing rules.
specify Set outgoing interface manually.
When the custom email server is used on FortiGate to send the emails out from the FortiGate for purposes like FortiToken Activation Email or Email Alerts, the emails may not be received at the user side
Check the connection to the Email Server:
- Make sure FortiGate can reach the email server.
- Try to ping the email server to verify the connectivity.
exe ping <SMTP server IP>
- If the email server is beyond the IPsec tunnel, set the source IP in the email server settings of the FortiGate with the internal interface IP.
So that, FortiGate can reach the server over the tunnel.
config system email-server
...
set source-ip {ipv4-address}
...
end
Run the alert mail debugs:
- Once the connection to the server is successful, run the below alert email debugs to see if there are any errors.
diag debug reset
diag debug enable
diag debug console timestamp enable
diag debug application alertmail -1
- After enabling the email, try to send the activation mail again or trigger a test mail.
diagnose log alertmail test
Note:
This test will send out the test mail to the email address that is configured in the alertmail setting (#conf alertmail setting).
If not configured not emails will be sent out.
Refer to this article to configure the same:
Technical Tip: How to configure alert email settings
Troubleshooting:
- If as per the debug, the 'send mail success' message appears and still do not receive the email, try to change the recipient email address to any public domain (Gmail or Yahoo).
- This is because sometimes spam filters are in place on the corporate email that block or archive the emails.
- Still, after making the change, emails are not received; make sure to have set the default-reply-to email in the email server settings.
If that is not set, the debugs will show 'send mail success' but mails will not be received.
config system email-server
set server "<Email server IP>"
set reply-to "admin@example.com" <----- Email address which is used to send emails.
If any failed are erroring the debugs, check for the below things:
- If the credentials entered for the SMTP server and port number are correct.
- Also verify the Protocol with the server as well (SMTP or SMTPS).
- Run a packet sniffer for the email server IP and see if there is bidirectional traffic.
diag sniffer packet any “host <server IP> and port <port no>” 4 0 l
If the issue still persists, collect all the debugs and the output of the above commands and submit them to the TAC ticket along with the configuration file of the FortiGate.
Then disable debug:
diag debug disable
diag debug reset
Save the output either download it via the CLI window or use the Putty tool to log them, in order to attach the debug logs to the case for TAC review.
|
