Hi Stephen, i tried several options now, deep inspection with starttls and smtp 25 works obviously only in flow mode.

Fortinet offers the utp bundle for fortigate with email filtering and it costs extra. But what is it good for, when the main purpose, robust anti spam with incoming mail to the internal mail system is not working in proxy mode? No external mailserver will deliver mails over SMTPS, only with STARTTLS. Intrernal Clients would use SMTPS with external mail servers, but this is not the use case here. Protecting internal mail systems would be the key feature for buying the utp bundle.

Fortimail would be an option with extra costs. This is the reason in buying an UTM solution for smb customers, bundling services on one appliance saves money.

If a key feature won't work, it should not be offered. On the other hand, if this would be stated out clearly, I could have saved a lot of time.

as I explained above, this all works only with unenrypted incoming email traffic. If you want deep inspection of incoming mail with STARTTLS (above 99% of all incoming transfers), you have to choose to flow mode, proxy mode with the full anti spam options (and these are the important key functions in 7.4) just won't work, mails are running just plain through to the email server behind the fortigate.

As long as I did nothing wrong, but all tutorials and documentation I found, did not help. So to summarize it:

- flow mode: just no real antipam options, but working with STARTTLS and inspection is possible (but with simply no meaningful antispam options)

- proxy mode: works like a charm, but only with unencrypted incoming email <1% of all incoming mail would be inspected this way

I tested forth and back and tried dozens of combinations, same result in all cases.

Hi Yoda1. It seems odd that proxy mode is not working while flow is. There is no reason as far as I'm concerned for proxy mode to break anything here.

I would suggest contacting TAC to figure out if you are hitting a bug or some other configuration issue. It does sound like you are doing everything right, however. Note that 7.4 is a very new release (couple months old) and will have lots of bugs still. Mature release right now is 7.0.x which would be recommended for production use unless you need specific features only found in 7.2.x or 7.4.x.

To note, the FortiGate is first and foremost a NGFW. Yes it has lots of other features packed into it like WAF and email filter. However these are basic when compared to full-fledged appliances. For instance the email filter is really only there to detect and block spam (hence "antispam" fortiguard service). It's not meant to be a full-on email security gateway (SPF checks, quarantine, content inspection, etc).

If it fits your needs then absolutely let's keep trying to get the FortiGate working in proxy mode for you. TAC is your best bet at this point, IMO.

If you'd like to, you are welcome to post the configurations of your mail filter profiles, firewall policies, certificates, etc and we can look here but again TAC will give best response.

Hi @Yoda1 

It seems like you're looking for information about the Fortinet firewall and its capabilities for inspecting incoming email traffic. From the explanation you provided, it appears that when using flow mode, you're able to perform deep inspection of incoming mail with STARTTLS. However, the antispam options are limited in this mode. On the other hand, when using proxy mode, you have more comprehensive antispam options, but it only works for unencrypted incoming email traffic, which is less than 1% of all incoming mail.

Despite following various tutorials and documentation, you haven't been able to find a solution that meets your requirements. It can be frustrating when you encounter challenges like this. If you need further assistance or would like to explore other options, feel free to provide more specific details or ask any additional questions.