Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
JordAnge
Staff
Staff

Created on ‎02-09-2025 10:02 PM

Article Id 374747

Troubleshooting Tip: How to fix Email-Alert messages when those are sent with 'noreply' account

Description This article describes how to fix the Email-alert messages not received because of the wrong 'FROM' field.
Scope FortiGate.        
Solution

Configuring automation stitches in a way that an email notification is sent when a specific event happens.

 

config system email-server
    set reply-to "informatica@nginx.cgf.lan"
    set server "nginx.cgf.lan"
    set username "administrator@nginx.cgf.lan"
end


config alertemail setting
    set username "administrator@nginx.cgf.lan"
    set mailto1 "informatica@nginx.cgf.lan"
    set mailto2 "informatica-2@nginx.cgf.lan"
    set email-interval 1440
    set IPS-logs enable
    set IPsec-errors-logs enable
    set PPP-errors-logs enable
    set sslvpn-authentication-errors-logs enable
    set antivirus-logs enable
    set webfilter-logs enable
    set configuration-changes-logs enable
    set violation-traffic-logs enable
end


config system automation-trigger
    edit "VPN Login Notification"
        set event-type event-log
        set logid 39426<---- Event-ID of a new VPNSSL connection.
    next
end


config system automation-action
    edit "VPN Login Notification_email"
        set action-type email
        set email-to "informatica@nginx.cgf.lan" "informatica-2@nginx.cgf.lan"
        set email-subject "VPN Loggin Notification"
        set email-body "A new VPN has been established"
    next
end


config system automation-stitch
    edit "VPN Login Notification"
      set trigger "VPN Login Notification"
      set action "VPN Login Notification_email"
    next
end

 

 

Performing a alertmail-test, the notification email is received successfully: 

 

FGT # diag deb app alertmail -1
FGT # diag deb enable
FGT # diag log alertmail test

14:37:32 Arrived msg(type 4, 91 bytes):Alert Mail Test

Message body (log level = 1):

1st Line
2nd Line

14:37:32 mail_info:
from:nginx.cgf.lanuser:administrator@nginx.cgf.lan
14:37:32 mail_info:
reverse path:administrator@nginx.cgf.lan
user name:administrator
14:37:32 to[0]:informatica@nginx.cgf.lan
14:37:32 to[1]:informatica-2@nginx.cgf.lan
14:37:32 to[2]:
14:37:32 <==_init_mail_info
14:37:32 create session
14:37:32 resolve nginx.cgf.lan to 1 IP
14:37:32 ==> send mail
14:37:32 connecting to x.x.x.x port 587
14:37:32 send mail 0x5aad2b0 session 0x5183998
14:37:32 session: 0x5183998, rsp_state: greeting, code: 220
14:37:32 session: 0x5183998, rsp_state: ehlo, code: 250
14:37:32 session: 0x5183998, rsp_state: starttls, code: 220
14:37:32 rsp_starttls: creating ssl structure for session 0x5183998
14:37:32 create_ssl: 0x51724e0
14:37:32 sessionn 0x5183998, SSL connected
14:37:32 _session_on_destroy
14:37:32 <== send mail failed, m = 0x5ba93c8 s = 0x4909ab8
14:37:32 _session_on_destroy
14:37:32 <== send mail failed, m = 0x556d6b8 s = 0x556cf48
14:37:32 session: 0x5183998, rsp_state: ehlo, code: 250
14:37:32 session: 0x5183998, rsp_state: auth, code: 334
14:37:32 session: 0x5183998, rsp_state: auth2, code: 235
14:37:32 session: 0x5183998, rsp_state: mail, code: 250
14:37:32 session: 0x5183998, rsp_state: rcpt, code: 250
14:37:32 session: 0x5183998, rsp_state: rcpt, code: 250
14:37:32 session: 0x5183998, rsp_state: data, code: 354
14:37:32 === send: Alert Mail Test

Message body (log level = 1):
1st Line
2nd Line

14:37:32 session: 0x5183998, rsp_state: data2, code: 250
14:37:32 session: 0x5183998, rsp_state: quit, code: 221
14:37:32 session finined
14:37:32 _session_on_destroy
14:37:32 <== send mail success, m = 0x5aad2b0 s = 0x5183998
14:37:33 _session_on_destroy
14:37:33 <== send mail failed, m = 0x59030b0 s = 0x57882d8

 

However, when the automation stitch is triggered, the FortiGate sends an email to the destination with the wrong 'FROM' value.

 

FGT[FGT50E] Automation Stitch:VPN Login Notification is triggered.

A new VPN has been established


2025-01-17 14:21:46 mail_info:
from:nginx.cgf.lanuser:noreply
2025-01-17 14:21:46 mail_info:
reverse path:noreply@nginx.cgf.lan
user name:noreply
2025-01-17 14:21:46 to[0]:informatica@nginx.cgf.lan
2025-01-17 14:21:46 to[1]:informatica-2@nginx.cgf.lan
2025-01-17 14:21:46 <==_init_mail_info
2025-01-17 14:21:46 create session
2025-01-17 14:21:46 resolve nginx.cgf.lan to 1 IP
2025-01-17 14:21:46 ==> send mail
2025-01-17 14:21:46 connecting to x.x.x.x port 587
2025-01-17 14:21:46 send mail 0x5bfd820 session 0x5704e78
2025-01-17 14:21:46 session: 0x5704e78, rsp_state: greeting, code: 220
2025-01-17 14:21:46 session: 0x5704e78, rsp_state: ehlo, code: 250
2025-01-17 14:21:46 session: 0x5704e78, rsp_state: starttls, code: 220
2025-01-17 14:21:46 rsp_starttls: creating ssl structure for session 0x5704e78
2025-01-17 14:21:46 create_ssl: 0x49f0d60
2025-01-17 14:21:46 session: 0x5b85f80, rsp_state: auth2, code: 235
2025-01-17 14:21:46 sessionn 0x5704e78, SSL connected
2025-01-17 14:21:46 session: 0x5b85f80, rsp_state: mail, code: 250
2025-01-17 14:21:46 session: 0x5b85f80, rsp_state: rcpt, code: 250
2025-01-17 14:21:46 session: 0x5b85f80, rsp_state: rcpt, code: 250
2025-01-17 14:21:46 session: 0x5b85f80, rsp_state: data, code: 354
2025-01-17 14:21:46 === send: FGT[FGT50E] Automation Stitch:VPN Login Notification is triggered.

A new VPN has been established


2025-01-17 14:21:46 session: 0x54ce568, rsp_state: auth2, code: 235
2025-01-17 14:21:46 session: 0x54ce568, rsp_state: mail, code: 250
2025-01-17 14:21:46 session: 0x5704e78, rsp_state: ehlo, code: 250
2025-01-17 14:21:46 session: 0x54ce568, rsp_state: rcpt, code: 250
2025-01-17 14:21:46 session: 0x5704e78, rsp_state: auth, code: 334
2025-01-17 14:21:46 session: 0x54ce568, rsp_state: rcpt, code: 250
2025-01-17 14:21:46 session: 0x54ce568, rsp_state: data, code: 354
2025-01-17 14:21:46 === send: FGT[FGT50E] Automation Stitch:VPN Login Notification is triggered.

A new VPN has been established

2025-01-17 14:21:46 session: 0x5ad1570, rsp_state: auth2, code: 235
2025-01-17 14:21:46 session: 0x5ad1570, rsp_state: mail, code: 250
2025-01-17 14:21:46 session: 0x5ad1570, rsp_state: rcpt, code: 250
2025-01-17 14:21:46 session: 0x5ad1570, rsp_state: rcpt, code: 250
2025-01-17 14:21:46 session: 0x5ad1570, rsp_state: data, code: 354

... Output Truncated
2025-01-17 14:21:52 _session_on_destroy
2025-01-17 14:21:52 <== send mail failed, m = 0x55d86b8 s = 0x4870ea0
2025-01-17 14:21:52 _session_on_destroy
2025-01-17 14:21:52 <== send mail failed, m = 0x4427610 s = 0x4909ab8
2025-01-17 14:21:52 _session_on_destroy
2025-01-17 14:21:52 <== send mail failed, m = 0x4495f30 s = 0x583f0c8

 

The alertmail-debug above displays that FortiOS uses the account 'noreply' is used in 'FROM'. The SMTP-Server does not recognize this as a valid account.

 

Solution:

Configure an 'email-from' into the automation-action.

 

Example.


config system automation-action
    edit "VPN Login Notification_email"
      set email-from "administrator@nginx.cgf.lan"
    next
end

        

 

211
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.