FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tana
Staff
Staff
Description This article describes how to troubleshoot Email alert not able to sent out via default email alert settings.
Scope  
Solution

Make sure to have a working WAN link to send out the email.

Do a test ping to the default mail server : notification.fortinet.net

 

# exe ping notification.fortinet.net
PING notification.fortinet.net (208.91.114.151): 56 data bytes
64 bytes from 208.91.114.151: icmp_seq=0 ttl=41 time=196.1 ms
64 bytes from 208.91.114.151: icmp_seq=1 ttl=41 time=195.7 ms
64 bytes from 208.91.114.151: icmp_seq=2 ttl=41 time=195.9 ms
64 bytes from 208.91.114.151: icmp_seq=3 ttl=41 time=195.9 ms
64 bytes from 208.91.114.151: icmp_seq=4 ttl=41 time=195.3 ms

 

Then, check the existing configuration in FortiGate.

 

Below is an example of default settings:

 

Fortigate# get system email-server
type : custom
reply-to :
server : notification.fortinet.net
port : 465
source-ip : 0.0.0.0
source-ip6 : ::
authenticate : disable
validate-server : disable
security : smtps
ssl-min-proto-version: default
interface-select-method: auto

 

In some cases, it is necessary to configure the interface manually:

 

Fortigate# set interface-select-method
auto Set outgoing interface automatically.
sdwan Set outgoing interface by SD-WAN or policy routing rules.
specify Set outgoing interface manually.

 

When the custom email server is used on FortiGate to send the emails out from the FortiGate for purposes like FortiToken Activation Email or Email Alerts, the mails may not be received at the user side

 

Check the connection to the Email Server:

 

- Make sure FortiGate can reach the email server.

- Try to ping the email server to verify the connectivity.

 

# exe ping <SMTP server IP>

 

- If the email server is beyond the IPsec tunnel, set the source IP in the email server settings of the FortiGate with the internal interface IP.

So that, FortiGate can reach the server over the tunnel.

 

# config system email-server

      ...

     set source-ip {ipv4-address}

      ...

 end

 

Run the alertmail debugs:

 

- Once the connection to the server is successful, run the below alertmail debugs to see if there are any errors.

 

# diag debug reset
# diag debug enable
# diag debug console timestamp enable
# diag debug application alertmail -1

 

- After enabling the email, try to send the activation mail again or trigger a test mail.

 

# diagnose log alertmail test

 

Note: This test will send out the test mail to the email address that is configured in alertmail setting (#conf alertmail setting).

If not configured not emails will be send out.

 

Refer this article to configure the same: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-alert-email-settings/ta-p...

 

Troubleshooting:

 

- If as per the debug, the 'send mail success' message appears and still do not receive the email, try to change the recipient email address to any public domains (Gmail or Yahoo).

 

- This is because sometimes spam filters are in place on the corporate email that block or archive the emails.

 

- Still after making the change, emails are not received; make sure to have set the default-reply-to email in the email server settings.

If that is not set, the debugs will show 'send mail success' but mails will not be received.

 

 # config system email-server

    set server "<Email server IP>"

    set reply-to "admin@example.com" <----- Email address which is used to send emails.

 

If any failed are erroring the debugs, check for the below things:

 

- If the credentials entered for the SMTP server and port number is correct.

- Also verify the Protocol with the server as well (SMTP or SMTPS).

- Run a packet sniffer for the email server IP and see if there is bidirectional traffic.

 

# diag sniffer packet any “host <server IP> and port <port no>” 4 0 l

 

If the issue still persist, collect all the debugs and output of the above commands and submit to the TAC ticket along with the configuration file of the fortiGate.

 

Then disable debug:


# diag debug disable
# diag debug reset

 

Save the output either download it via CLI window, or use Putty tool to log them, in order to attach the debug logs to the case for TAC review.