Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDRCloud
- FortiNDR (on-premise)
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Blocked port 25 on fortigate 60c
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Blocked port 25 on fortigate 60c
Hello to all members
I have big problem with fortigate blocking port 25 I hope that someone will me able to help me. Since mail service is crucial for our company this is big problem for me.
I have mail server which s on interface 4 (basically DMZ interface) with let say address 10.10.10.1. VIP group is created and contains port forwarding for all necessary services for mail server SMTP(25), SMTPS(465), POP3S(995), IMAPS(993), NNTPS(563), HTTPS(443). Users are on interface 1.
Policy are in place
internal1 -->internal4
internal1 --> WAN2
internal4 -->WAN2
WAN2 --> internal4
set srcintf "wan2" set dstintf "internal4" set srcaddr "all" set dstaddr "msgroupvip" set action accept set schedule "always" set service "ALL" set logtraffic all
where msgroupvip is VIP group containing fort forwarding for all necessary service.
Problem is with fortigate unit block port 25 (SMTP) from my external address (WAN 2 interface) to local interface - Mail server (Internal 4 interface), Because of that my company is unable to receive any email from external address for past two days. We are able to send email outside and receive and send emails within company internally (Local traffic) . Same issue happens about month ago. Problem resolved itself without my intervention. I was unable to determine what cause this problem. Yesterday problem arise again. Again port 25 on fortigate is blocked. All other port on VIP who forward traffic to mail server works without problem. All forwarded ports (SMTPS, HTTPS, NNTPS, IMAPS, POP3S) works as they should and only SMTP port is blocked. UTM feature is disabled. As far I know no attack is detected on our network and every other service works as they should except blocked port 25. Folowing instruction in some other post I even recreated VIP port forwarding for all port again with no results. I even recreated a policy rule for WAN2 --> Internal4 policy with CLI with no result.
Firmware version is v5.0,build0305 (GA Patch 10). While we where on firmware 4.0 MR3 we never experienced this problem.
Sorry for the long post but I try to explain problem in detail.
Labels:
- Labels:
-
5.0
34 REPLIES 34
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Some questions/suggestions @Ismir
- Is the fgt handing more than one public IP address? (e.g. one for the fgt and one for the mail server?)
- try a 3rd party/outside port scanner to see if port 25 is open on the fgt
- confirm fgt's public IP address(es) are not on any spam block lists
- send 2-3 test emails from gmail/hotmail/yahoo, etc. to an company email address to see if what errors pop up.
(You have not posted/indicated what error message outside/3rd parties are getting when they send email to the company, so I suggest the last two points.)
If the fgt is the only device with an outside IP address (e.g. mail server has no public IP), I would set the "External IP Address/Range" on the vip to 0/0 (e.g. wildcard).
On the firewall rule, it's advisable (or best practice) to only open ports when needed, so in this case you should only allow the email service ports through. (e.g. create a service group for those ports).
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Haven't completely followed the trace, but it kinda looks like it's getting lost in an ipsec tunnel.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0
(FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now that you have confirmed that port 25 is closed on the public address it's obvious that the VIP is not active. The FGT will act as a proxy for the external VIP address if the VIP is used in a policy.
Still no trace from the sniffer output...but don't worrry, we already know that port 25 is closed.
So let's have a look at the policy table (not only the policy in question). Please post the relevant part of the conifg file ("config firewall policy"..."end") and we'll see.
The good advice from Dave is 100% correct...but...at the moment the VIP isn't active and we have to fix that first. BTW, having the real public IP address or the wildcard in the VIP definition would not really help: the wildcard will be active for the FGT's public address as well, not only for the second address meant for the mailserver. So I would leave the VIP as it is (IF the definition is correct).
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you ede-phau.
here is the config firewall part of config:
config firewall policy
edit 15
set srcintf "wan2"
set dstintf "internal4"
set srcaddr "all"
set dstaddr "vipsmtp" ------------- > Policy with SMTP VIP - vipsmtp is VIP group containing SMTP VIP
set action accept
set schedule "always"
set service "ALL"
next
edit 14
set srcintf "wan2"
set dstintf "internal4"
set srcaddr "all"
set dstaddr "msgroupvipSOFTNET" -----------> Policy with all other VIP (SMTPS, HTTPS, etc) msgroupvipSOFTNET is VIP
set action accept group containing these VIPs
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 13
set srcintf "internal1"
set dstintf "wan2"
set srcaddr "Filter_basic"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set logtraffic all
set webfilter-profile "basic_filter"
set application-list "default"
set profile-protocol-options "default"
set nat enable
next
edit 4
set srcintf "internal1"
set dstintf "wan2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
edit 25
set srcintf "internal4"
set dstintf "wan2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
edit 3
set srcintf "internal1"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
edit 6
set srcintf "internal1"
set dstintf "HQ_to_Liv_p1"
set srcaddr "Pobjeda_internal"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 7
set srcintf "HQ_to_Liv_p1"
set dstintf "internal1"
set srcaddr "all"
set dstaddr "Pobjeda_internal"
set action accept
set schedule "always"
set service "ALL"
next
edit 9
set srcintf "Roaming"
set dstintf "internal1"
set srcaddr "Wizard_address"
set dstaddr "Pobjeda_internal"
set action accept
set schedule "always"
set service "ALL"
next
edit 10
set srcintf "internal1"
set dstintf "Roaming"
set srcaddr "Pobjeda_internal"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 11
set srcintf "Roaming"
set dstintf "wan2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
edit 12
set srcintf "Roaming"
set dstintf "HQ_to_Liv_p1"
set srcaddr "Wizard_address"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 24
set srcintf "internal1"
set dstintf "internal4"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 19
set srcintf "internal4"
set dstintf "internal1"
set srcaddr "Mail Alternativa"
set dstaddr "DMZ to SAN STORAGE"
set action accept
set schedule "always"
set service "ALL"
next
edit 20
set srcintf "Roaming"
set dstintf "internal4"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end
Here is the VIP section of config file:
config firewall vip
edit "Mail-server-vip-SMTPS"
set extip 1.1.1.1 ----------- > Address chanhed for security reason
set extintf "wan2"
set portforward enable
set mappedip 192.168.210.2
set extport 465
set mappedport 465
next
edit "Mail-server-vip-POP3S"
set extip 1.1.1.1
set extintf "wan2"
set portforward enable
set mappedip 192.168.210.2
set extport 995
set mappedport 995
next
edit "Mail-server-vip-IMAPS"
set extip 1.1.1.1
set extintf "wan2"
set portforward enable
set mappedip 192.168.210.2
set extport 993
set mappedport 993
next
edit "Mail-server-vip-NNTPS"
set extip 1.1.1.1
set extintf "wan2"
set portforward enable
set mappedip 192.168.210.2
set extport 563
set mappedport 563
next
edit "Mail-server-vip-LDAPS"
set extip 1.1.1.1
set extintf "wan2"
set portforward enable
set mappedip 192.168.210.2
set extport 636
set mappedport 636
next
edit "Mail-server-vip-HTTPS"
set extip 1.1.1.1
set extintf "wan2"
set portforward enable
set mappedip 192.168.210.2
set extport 443
set mappedport 443
next
edit "Mail-server-vip-HTTP"
set extip 1.1.1.1
set extintf "wan2"
set portforward enable
set mappedip 192.168.210.2
set extport 80
set mappedport 80
next
edit "Mail-server-VIP-SMTPSUB"
set extip 1.1.1.1
set extintf "wan2"
set portforward enable
set mappedip 192.168.210.2
set extport 587
set mappedport 587
next
edit "MSVIPSMTP"
set extip 1.1.1.1
set extintf "wan2"
set portforward enable
set mappedip 192.168.210.2
set extport 25
set mappedport 25
next
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good advice from Ede
Also don't forget the route table, that above output and ipsec-interface seems weird & a little bit suspicion.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Little update
Since we have available more public address I add additional public address on WAN2 interface as suggested in one post that I found. Create VIP for SMTP and HTTPS for testing purpose from this address to mail server, create policy with new VIP and still have same problem. HTTPS forwarding works like a charm but SMTP port on new address is blocked.
I really don't know what else to do except to restore factory settings and start configuring from scratch. I don't understand how everything works on 4.0 mr3 and after upgrade on 5.0 access to port 25 block.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1: all other port-forwards are working?
Yes, all other port forwarding work without problem
2: port 25 is not ?
Port 25 is blocked in any scenario
3: have you ensured the policy that allows external into the VIP is order correctly in the sequence? It won't hurt to move it to the top of the chain per-se
Yes, I made that ajustment i GUI (policy - Global view - and ensure that policy for wan2-->internal4 is on the top of the list
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to be clear;
1: all other port-forwards are working?
2: port 25 is not ?
3: have you ensured the policy that allows external into the VIP is order correctly in the sequence?
It won't hurt to move it to the top of the chain per-se
e.g ( cli )
config firewall policy
move <id#> before < id#>
end
This would be the policy you have is moved before the top most policy-id. i don't think you have to rebuild from scratch, but it does sound like something is not correct or is a stray.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The policy sequence is determined in the "per interface-pair" view not the global view (well, it might be by coincidence but the decision is made when source and destination interfaces are determined). Make sure you see the "ID" field in the per interface-pair view and that policy 15 comes first.
For the sake of clarity, please don't use a VIP group in policy 15 but the VIP itself. There is still a (minimal) chance that the VIP will not work as expected just because it's used in a VIP group.
While testing it won't hurt to reboot the FGT from time to time, to clear internal tables etc.
From your last post I have the suspicion that you have assigned the "other" public address(es) as secondary address(es) to wan2. Is that true? If so, delete these secondary addresses. The VIP will act like one (as an ARP proxy), with the additional functionality of port translation. Configuring both will do no good.
Then, I see that you forward ports 465 and 587 as well as port 25. From the behavior of clients from internal1 we can be sure that the mailserver responds to all 3 ports, right?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From your last post I have the suspicion that you have assigned the "other" public address(es) as secondary address(es) to wan2. Is that true? If so, delete these secondary addresses. The VIP will act like one (as an ARP proxy), with the additional functionality of port translation. Configuring both will do no good.
Yes that is correct. I removed secondary address as you suggested. No luck with port still blocked
Then, I see that you forward ports 465 and 587 as well as port 25. From the behavior of clients from internal1 we can be sure that the mail server responds to all 3 ports, right?
Yes also correct. Internally all mail traffic flow without any problem on all ports.
I searched almost all post related to problem with SMTP but none of them provide any useful lead that could help me to solve problem. This is really strange. oddly I didn't make any changes in configuration prior this problem.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,815 -
FortiClient
1,789 -
5.2
801 -
FortiManager
747 -
5.4
639 -
FortiAnalyzer
567 -
FortiSwitch
481 -
FortiAP
476 -
FortiClient EMS
440 -
6.0
416 -
5.6
362 -
FortiMail
324 -
SSL-VPN
257 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
218 -
FortiWeb
211 -
5.0
196 -
FortiNAC
196 -
FortiGuard
139 -
6.4
128 -
SD-WAN
118 -
FortiAuthenticator
110 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
99 -
FortiToken
92 -
Firewall policy
86 -
Customer Service
81 -
Wireless Controller
81 -
4.0MR3
64 -
FortiProxy
61 -
High Availability
60 -
Fortivoice
57 -
FortiADC
54 -
VLAN
53 -
FortiEDR
52 -
ZTNA
50 -
Routing
49 -
DNS
47 -
FortiExtender
46 -
FortiSandbox
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
RADIUS
37 -
NAT
37 -
SAML
36 -
Certificate
36 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SSO
34 -
VDOM
33 -
Interface
32 -
FortiConnect
30 -
FortiLink
29 -
Application control
28 -
FortiWAN
27 -
Web profile
27 -
Virtual IP
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
FortiGate-VM
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
18 -
OSPF
16 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
SNMP
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
IPS signature
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
DNS filter
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
Service
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1748 | |
| 1114 | |
| 764 | |
| 447 | |
| 241 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.