Blocked port 25 on fortigate 60c

oberguru · ‎02-07-2015

Hello to all members

I have big problem with fortigate blocking port 25 I hope that someone will me able to help me. Since mail service is crucial for our company this is big problem for me.

I have mail server which s on interface 4 (basically DMZ interface) with let say address 10.10.10.1. VIP group is created and contains port forwarding for all necessary services for mail server SMTP(25), SMTPS(465), POP3S(995), IMAPS(993), NNTPS(563), HTTPS(443). Users are on interface 1.

Policy are in place

internal1 -->internal4

internal1 --> WAN2

internal4 -->WAN2

WAN2 --> internal4

set srcintf "wan2" set dstintf "internal4" set srcaddr "all" set dstaddr "msgroupvip" set action accept set schedule "always" set service "ALL" set logtraffic all

where msgroupvip is VIP group containing fort forwarding for all necessary service.

Problem is with fortigate unit block port 25 (SMTP) from my external address (WAN 2 interface) to local interface - Mail server (Internal 4 interface), Because of that my company is unable to receive any email from external address for past two days. We are able to send email outside and receive and send emails within company internally (Local traffic) . Same issue happens about month ago. Problem resolved itself without my intervention. I was unable to determine what cause this problem. Yesterday problem arise again. Again port 25 on fortigate is blocked. All other port on VIP who forward traffic to mail server works without problem. All forwarded ports (SMTPS, HTTPS, NNTPS, IMAPS, POP3S) works as they should and only SMTP port is blocked. UTM feature is disabled. As far I know no attack is detected on our network and every other service works as they should except blocked port 25. Folowing instruction in some other post I even recreated VIP port forwarding for all port again with no results. I even recreated a policy rule for WAN2 --> Internal4 policy with CLI with no result.

Firmware version is v5.0,build0305 (GA Patch 10). While we where on firmware 4.0 MR3 we never experienced this problem.

Sorry for the long post but I try to explain problem in detail.

oberguru · ‎02-08-2015

when say all other mail flows is that mail inbound? If yes than your upstream is filtering/blocking port 25. If you go to a external host can you connect to ports ; 465 993 995 Mail flow outbound has nothing todo with mail flow inbound. if you see no traffic on port 25, than your provider is filtering traffic destinate to SMTP.

From external host all port you mentioned are accesible (SMTPS, HTTPS, IMAPS, POP3S). Just to be clear when I say internaly I was reffering to local trafic whitnin company (from interface1 --->interface4, etc). We are able to send email outbound from our company to external address, but we can receive any from external addresss (outside company).

I will provide you log from gmail

Technical details of temporary failure:
The recipient server did not accept our requests to connect. Learn more at http://support.google.com/mail/bin/answer.py?answer=7720
[(0) b.mx.domain.com. [xxx.xxx.xxx.xxx]:25: socket error]

----- Original message -----

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:from:date:message-id:subject:to:content-type;
        bh=CaEEK/Cpjw2X8aq97q2DYHU1BNxL/MNhh9OHNUH9xls=;
        b=yWDqFz22kEvaRXagVuX4mT4anEJfLD6Vxo86Uq5CaRSlrDtv28njxawq31T2YwUsFZ
         q6XajkrpOrAdA+OHd5Ej/NPZLgx9wuyxj5aFln1K1OEUo1sj3XUEv9l0flr1jGz9uBMM
         pjR6QHna7j3kzMv5DfJkxbT79vt+nmBv+6XBf18JquzSl8iAketFIUY4OcrXGnE5HXqn
         sHRzTzYxuvz//4krp8dfFBzoYEN5Yjv8vLulYEYwcpnWumUIt/jNjLd23So+NI2a7VPP
         yowKm2ZJQeZGMyLWD3M2z7/FZRghzqBixlQF8rAttq3xnc7RtvdcNwZjUSJ3BGYxdokf
         drYA==
X-Received: by xxx.xxx.xxx.xxx with SMTP id w71mr17848253qge.104.1423311991479;
 Sat, 07 Feb 2015 04:26:31 -0800 (PST)
MIME-Version: 1.0
Received: by xxx.xxx.xxx.xxx with HTTP; Sat, 7 Feb 2015 04:26:11 -0800 (PST)
From: xxxxxxxxxxxxxxxxxx
Date: Sat, 7 Feb 2015 13:26:11 +0100
Message-ID: <CAKJKPGBZD_T8oXK6Q9GWzUywtkuvL1Oc=1JqmkCYbkAQAxSu6Q@mail.gmail.com>
Subject: test i test
To:xxxxxxxxxxxxxxxxx
Content-Type: multipart/alternative; boundary=001a11c16708a82119050e7ea56c

I check with our provider. They do not block SMTP trafic on port 25

I hope this will help clarify things

oberguru · ‎02-08-2015

As far as I know there is no local edge-router or any other filtering devices

FWIW. I know this is a stupid suggestion, and I think you already did it or it was mention earlier, but if your using a host-name makes sure it's mapped to the correct ip_addr that your using in the VIP statement. I had a customer who changed the A & MX records when building up his new server and he had a typo. Mail was going to x.x.x.111 and not x.x.x.11 ;)

I check this again and everything looks fine.

Tomorow I will transfer mail server on other provider and then try this to determine is problem in policy and vip or provider itself.

I dealing with this 3 days constantly my head start to spin

oberguru · ‎02-09-2015

First I really would like to thank to your support ede_phau., emnoc, Dave Hall on solving this problem.

Update

contacted our ISP and they confirmed me that they do not block SMTP traffic on port 25. I performed upgrade on firmware 5.2.2 to see would that make a difference. No difference at all. Port is still blocked. I am pretty sure now that problem is on my side.

I agree with emnoc that make no sense that just upgrade cause this to happens on one port but problem arise when I perform upgrade from 4.0 mr3 --> 5.0 -->5.2.1. After that I perform downgrade to 5.09. After that problem resolve by itself. I don't believe that downgrade has anything with resolving problem. During this no changes has made to configuration.

On 4.0 MR3 everything works from 2012 without any problem

oberguru · ‎02-09-2015

Maybe I expressed myself wrong in last post. Port 25 is still blocked. I contacted fortinet support (open ticket) in friday and still not get response from them. Today I will try reroute email traffic to alternative ISP and see would that make difference. Other than that I don't have any idea left

oberguru · ‎02-08-2015

Here's what I would do to rule this out or in, 1: go to mxtool box [link]http://mxtoolbox.com/diagnostic.aspx[/link] 2: install your address for the VIP ( external ) 3: A: start a packet sniffer diag sniffer packet B: start a test your mail server 4: if you do not see any packets, than your ISP is blocking you. 5: if you see packets from MXtool box,than you know 100% for sure that SMTP is allowed and now you debug flow and analyze your policies.

On fgt I didn't get any result after I start test on mxtool

FW1 # diag sniffer packet wan2 "port 25"

interfaces=[wan2]

filters=[port 25]

Here is the resul from mxtool

Unable to connect after 15 seconds.

TestResult

SMTP ConnectFailed To Connect

More Info Session Transcript: Connecting to xxx.xxx.xxx.xxx 2/8/2015 2:09:41 PM Connection attempt #1 - Unable to connect after 15 seconds. [15.04 sec] MXTB-PWS3v2 15038ms

emnoc · ‎02-08-2015

Yes also correct. Internally all mail traffic flow without any problem on all ports.

when say all other mail flows is that mail inbound? If yes than your upstream is filtering/blocking port 25. If you go to a external host can you connect to ports ;

465

993

995

Mail flow outbound has nothing todo with mail flow inbound. if you see no traffic on port 25, than your provider is filtering traffic destinate to SMTP.

PCNSE

NSE

StrongSwan

ede_pfau · ‎02-08-2015

But OP stated that this has worked when running v4.3.x ...

Ede Kernel panic: Aiee, killing interrupt handler!

emnoc · ‎02-08-2015

A meer software upgrade and port 25 failing while all others are working is not something normal. If he seeno TCP-SYN on port 25, that it's a very good chance the upstream is blocking his traffic and specially if the other port_forward ports work. Don't you agreed?

PCNSE

NSE

StrongSwan

emnoc · ‎02-08-2015

Here's what I would do to rule this out or in,

1: go to mxtool box

http://mxtoolbox.com/diagnostic.aspx

2: install your address for the VIP ( external )

3: A: start a packet sniffer diag sniffer packet <insert ext-int) "port 25"

B: start a test your mail server

4: if you do not see any packets, than your ISP is blocking you.

5: if you see packets from MXtool box,than you know 100% for sure that SMTP is allowed and now you debug flow and analyze your policies.

PCNSE

NSE

StrongSwan

emnoc · ‎02-08-2015

That's telling me you have filtering upstream. Who's your service provider? Is their a local edge-router or any other filtering devices ( l2-firewall, VACL-switches/cable-modem-that-filters/etc...... ) ?

note: If your VIP was not configured correct, or if the fwpolicy was bad, you still should have seen the mxtoolbox request.

e.g

49.675833 64.20.227.133.50960 -> x.x.x.26.25: syn 2956145422 52.680892 64.20.227.133.50960 -> x.x.x.26.25: syn 2956145422

FWIW. I know this is a stupid suggestion, and I think you already did it or it was mention earlier, but if your using a host-name makes sure it's mapped to the correct ip_addr that your using in the VIP statement. I had a customer who changed the A & MX records when building up his new server and he had a typo. Mail was going to x.x.x.111 and not x.x.x.11 ;)

PCNSE

NSE

StrongSwan

Blocked port 25 on fortigate 60c

Nominate a Forum Post for Knowledge Article Creation

Unable to connect after 15 seconds.