Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hklb
Contributor II

IPV6 - unable to connect to fortimail on SMTP port

Hello,

 

I try to configure my fortimail in full IPv6 settings. I'm able to manage the Fortimail on https port, I configured the basic settings :

- mail settings : settings, domain

- policy, access control : sender(external), recipient(internal), senderIP(::/0), action(relay)

- policy, policies : source/destination (::/0), session (inbound_session)

 

I did the same on an another Fortimail in IPv4 settings, and all connections are OK..

 

Is there any settings to enable to support IPv6 ?

 

I did a packet capture on FML and here is the result :

fortimail # diagnose sniffer packet any "port 25" 4 0
System Time: 2017-04-12 23:17:53 CEST (Uptime: 0d 2h 10m)
interfaces=[any]
filters=[port 25]
3.850562 port1 in 2001:xxxx:xxx:1:dd5d:40f1:f175:ce9b.4041 -> 2001:xxxx:xxx:db0::30.25: syn 1131742929 
3.850615 port1 out 2001:xxxx:xxx:db0::30.25 -> 2001:xxxx:xxx:1:dd5d:40f1:f175:ce9b.4041: rst 0 ack 1131742930 
4.356056 port1 in 2001:xxxx:xxx:1:dd5d:40f1:f175:ce9b.4041 -> 2001:xxxx:xxx:db0::30.25: syn 1131742929 
4.356083 port1 out 2001:xxxx:xxx:db0::30.25 -> 2001:xxxx:xxx:1:dd5d:40f1:f175:ce9b.4041: rst 0 ack 1131742930 
4.861313 port1 in 2001:xxxx:xxx:1:dd5d:40f1:f175:ce9b.4041 -> 2001:xxxx:xxx:db0::30.25: syn 1131742929 
4.861356 port1 out 2001:xxxx:xxx:db0::30.25 -> 2001:xxxx:xxx:1:dd5d:40f1:f175:ce9b.4041: rst 0 ack 1131742930

 

Thanks in advance

 

Lucass

7 REPLIES 7
emnoc
Esteemed Contributor III

Will your in  the  right path, so you have no listener on  ipv6  for SMTP.

 

Can you try from  the cli execute smtptest <your ipv6address> or  ::1

 

Does any thing comes up? Do you see a banner ?

 

if yes can you see anything in the logs

 

 

e.g

 

execute smtptest ::1

HELO mydomain.com

MAIL FROM:test1@socpuppets.com

RCPT TO:someuser@yourdomain.com

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
hklb
Contributor II

Hello emnoc,

 

Thank for your reply.

 

I tested right now and the connection fail :

fortimail # execute smtptest ::1 Connection refused

Connection status to ::1 port 25: Connecting to remote host failed.

(same error with my global IP)

 

I searched how to enable listener on my ipv6 address, but I didn't found it.. Could you please help me ?

 

Thanks again

 

Lucas

emnoc
Esteemed Contributor III

What does the cli cmd show

 

e.g

 

show full  sys interface

 

I would start at that point either you have  a valid ipv6 addressed interface or not.

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
hklb
Contributor II

Here is the output :

fortimail (port1) # show full-configuration
config system interface
edit port1
set type physical
set mode static
set ip 0.0.0.0/0
set ip6 2001:xxxx:xxx:db0::30/64
set allowaccess https ping ssh
set mtu 1500
set speed auto
set status up
set mac-address 00:00:00:00:00:00
next
end

 

All the communication work fine for https ssh ping6, except SMTP..

emnoc
Esteemed Contributor III

Dumb questions

 

1: for the non ::1 loopback address, does a firewall exists ? ( this should have effect on the loopback ::1 )

 

2: Can you remove and re-add the  ip6 address (  and retry the ::1 using execute smtptest )

 

e.g

revert   port<X> back t ::/0

then from  the cli test loopback if successful re-apply the  interface ipv6 address and re-test

 

e.g

 

execute smtptest ::1

HELO meat.google.com

MAIL FROM:auser1@yourdomain.com

RCPT TO:auser@yourdomain.com

DATA

 

"a test test test test "

 

.

 

 

 

DOES YOUR LOGS SHOWING ANYTHING ?

 

 

3: do you have a support contract? ( could be a bug  )

 

4: what fortimail version are you running  ? ( your might need a upgrade )

 

5: did you look at the ipv6 details

 

 

If your loopback does not work, you have major issues. The cfg looks good. Even if the  fgt drops the mail due to policy the log event should have something similar to

 

v3DEMDi6012341 [IPv6:::1]  ::1 11 out

 

Other commands to run ;

 

diag netlink interface list loopback

diag netlink ipv6 list

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
hklb
Contributor II

1) yes, there is a firewall between my workstation and fortimail. I just test to bypass it and the issue is always here

2) done. exec smtptest ::1 still not work. I try to configure the IPv6 ip on different interface, same issue

3) yes, I think I will open a case next week

4) the last release : 5.3.9. Which firmware are you using on yours ?

5) I checked my config 20 times.. For me, all is correctly configured

 

The debug command show the correct IP without any error on my interfaces..

 

I will open a case and get you a feedback

 

Lucas

emnoc
Esteemed Contributor III

I'm on  5.1.6 so can't help you,but  I did just login into a 5.2 appliance it also works loopback interface

 

Last question (its dumb but needs asking ) are you  running on std tcp/25 for mail-services

? if this is a ipv6 only  check that mail-settings was not  messed up/ If ipv4 is working, than disregard.

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors