Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tetelu
New Contributor

Created on ‎06-24-2014 09:43 PM

Delayed mails on mobile devices

Hi all, I have a FG800C, FM200D and an Exchange 2013 server. Before I put the FortiMail in place, everything was OK (except SPAM ) Now, with FM installed, I got emails OK in Outlook, but on mobile devices with delay from 3 to 30 minutes. Below are both configs, before and after FM: Before fortimail: Virtual IP for mail: External IP: 1.2.3.4 External service port: 0-65535/tcp Mapped IP: 10.11.12.13 Map to port: 0-65535/tcp Policy: From wan1 to port23 Source all Destination: “Virtual IP for mail” schedule: always, Service: HTTPS, SMTP, SMTPS After fortimail: 1. Virtual IP for mail-443: External IP: 1.2.3.4 External service port: 443/tcp Mapped IP: 10.11.12.13 Map to port: 443/tcp 2. Virtual IP for mail-SMTP: External IP: 1.2.3.4 External service port: 25/tcp Mapped IP: 10.11.12.99 Map to port: 25/tcp 3. Virtual IP for mail-SMTPS: External IP: 1.2.3.4 External service port: 465/tcp Mapped IP: 10.11.12.99 Map to port: 465/tcp Policy: 1. From wan1 to port23 Source all Destination: “Virtual IP for mail-443” schedule: always, Service: HTTPS 2. From wan1 to port23 Source all Destination: “Virtual IP for mail-SMTP” schedule: always, Service: SMTP 3. From wan1 to port23 Source all Destination: “Virtual IP for mail-SMTPS” schedule: always, Service: SMTPS Why on Earth I got the delay? Policies are looking logic to me. Thanks a lot!
3793
0 Kudos
8 REPLIES 8
ShrewLWD
Contributor

Created on ‎06-25-2014 08:12 AM

Hi Tetelu, I do not have a FortiMail, so I cannot speak 100% here, but Fortinets generally do not have the ability to delay, then forward anything, especially in the timeframes you are seeing. Firewall rules will either accept or reject a packet. Yes, they can cache up to 10MB, before inspecting or releasing (in AV, etc.), but even that would only delay something a few seconds. What kinds of connections are you allowing from the mobile? ActiveSync only? or POP3/IMAP/SMTP? Why are you allowing STMPS traffic in at all? Is that for specific Business-to-business servers? General traffic would not need to jump on that, so that is mostly turned on to allow POP/IMAP/SMTP mobile users. Are the mobile users who are seeing this delay using SMTPS? I don' t see any POP3/POP3S or IMAP/IMAPS listed, so I am a little confused as to the SMTPS listing.
1586
0 Kudos
tetelu
New Contributor

Created on ‎06-29-2014 09:48 PM

Hi ShrewLWD, The SMTP(S) trafic points to FortiMail appliance, and the HTTPS points to exchange server. Before FortiMail all 3 protocols pointed to Exchange server. All mobile users are usig ActiveSync (443) and Outlook users are using 443 too. In outlook messages arrive instantly, only with ActiveSync I have this randomly delay. Thanks,
1595
0 Kudos
ShrewLWD
Contributor

Created on ‎06-30-2014 08:28 AM

I' m still not sure I get why you are allowing external 465 traffic to hit the FortiMail appliance? Who is sending you 465 traffic that you need to open that to the outside world? It' s most likely not the issue, but I would suggest possibly closing that one up to cover for the possibility their devices are actually set up for IMAP/POP. As for ActiveSync, are you seeing delays in mobile emails being SENT FROM their devices, or delays in mobile users RECEIVING TO their device, or both? Obviously, ActiveSync can be set to varying times (e.g. PUSH, 1, 5, 15, 30, Manual) on each device...do you know what their settings for checking are set to? If it is PUSH, could they happen to have gone into a ROAMING area, and their devices have shut off DATA? I would not exclude environmental, as well as geographical, as reasons for this drop.
1595
0 Kudos
tetelu
New Contributor

Created on ‎06-30-2014 10:25 AM

Hi, Ok I disabled the SMTPS rule. Same thing, of course. The delays are ONLY for emails RECEIVING TO mobile devices. The push settings are the same as always (auto/as item arrives) and I tested on various devices / users. My devices are an HTC One and a BlackBerry Z10 (same settings - before fort mail was OK, now with delays) No roaming, I' m at home/work with or without Wi-Fi. The only difference I noticed, is the virtual IP setting - before the port forwarding was unchecked, now is. But how can I forward to two internal IPs two services? Thanks
1595
0 Kudos
ShrewLWD
Contributor
In response to tetelu

Created on ‎06-30-2014 11:42 AM

No, you have your VIPS set up correctly...I redirect several different ports from the same public IP address to different internal. two other questions; 1) What firmware are you running on the firewall 2) Are you seeing any errors in your firewall logs about your firewall heartbeat intervals and ActiveSync? Most Fortinets typically allow a connection to stay idle beyond the 540 seconds required by ActiveSync, but you may have dropped a setting in elsewhere that had an unintended consequence of breaking this requirement.
1594
0 Kudos
tetelu
New Contributor

Created on ‎06-30-2014 09:45 PM

Hi, I have Firmware Version v5.0,build3608 (GA Patch 7) How do I look for those firewall errors in log. Where exactly? What' s not clear to me why if I revert to original settings (without FortiMail - all traffic to exchange server) everything' s OK (not talking about spam....)? Thanks!
1594
0 Kudos
ShrewLWD
Contributor

Created on ‎07-01-2014 11:10 AM

Sorry Tetelu, You would find the heartbeat error messages in your Exchange logs, not on the firewall! Have you peeked through your exchange logs as well? Its possible Exchange doesn' t like the change, which would be far more likely to degrade or slow email traffic down than a firewall. A firewall simply doesn' t have the cache space to hold up emails for any length of time, so something else is not happy with the change, and is causing the delay. Could it be your Exchange' s send connectors have restrictions about who can connect? You listed 2 devices, and both have a very small possibility of also causing the problem...Blackberry, as of about 1 1/2 years ago (when I last had to deal with one connecting to our Exchange) doesn' t directly connect to our system, it comes via their servers (essentially, the communication is 2-fold..your BB to the BBserver, the BBServer to your Exchange). This is unless you are running your own BES. The change in the link between BB and your Exchange could be the holdup. Some HTC (depending on service provider) also want corporate mail flowing through their network first. Again, it sounds like reaching for straws, but it' s something very rare that' s tripping you up here.
1595
0 Kudos
tetelu
New Contributor

Created on ‎07-01-2014 10:21 PM

Both HTC and BB use ActiveSync. BB, from OS version 10, can be used without BES. Anyway, in exchange logs I got no errors only some warnings (event id 6002). Did an iisreset and everything works great now. Thanks!
1595
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.