Troubleshooting Tip: Scheduled remote backup does not generate on SFTP server after FortiMail upgrade

azhunissov · ‎05-07-2025

Description

This article describes an SFTP scheduled remote backup failure after FortiMail upgrade to v7.2.5, v7.4.2, and higher.

Scope

FortiMail v7.2.5, v7.4.2, and higher.

Solution

As of FortiMail v7.2.5GA and 7.4.2GA, 'ssh-rsa' is removed from the 'strong-crypto' list for sshd. If FortiMail and the SFTP server were using 'ssh-rsa' to establish an SSH tunnel, after upgrading FortiMail to v7.2.5GA and 7.4.2GA, the SFTP scheduled remote backup will fail.

As a workaround, disable the 'strong-crypto' option, which enables 'ssh-rsa':

config global

set strong-crypto disable

end

Enabling 'strong-crypto' can disable some Key Exchange Algorithms (KexAlgorithms), potentially causing SFTP connection failures. Capture a PCAP file to verify the keys exchanged between the SSH/SFTP client and server

===== SSH1 ======

# prepare a packet sniffer:

diagnose sniffer packet any "x.x.x.x" 6 0 a # <----- x.x.x.x is the address of the sftp server.

===== SSH2 ======

# trigger a remote backup:

execute backup full-config scp data/backup/fortimail/FML_SN/test_fml.conf x.x.x.x username password"

Use the captured PCAP file to identify the Key Exchange Algorithm negotiated by the client, and add it to the SFTP server’s list of supported KexAlgorithms.

Troubleshooting Tip: Scheduled remote backup does not generate on SFTP server after FortiMail upgrade

You are leaving our website