Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mattlemon
New Contributor

FortiMail 90% Access Control (OUTBOUND)

Hi, I have an FML that seems to be working fine for receiving email but when looking at the graph for outbound ermail it shows 80+ % if emails are blocked by Access Control - Relay denied. Some emails get out. When looking at the log I don' t see internal (Protected) email addresses in the from field. I also see on the status page that AV and VMWare are green checks but the AntiSpam is orange. I' ve changed the port from 53 to 8888 and 8889 but it makes no difference. I can resolve the service.fortiguard.net and can ping the IP that it resolves to. The FML is using only one interface which is connected to an FGT and the FGT allows all traffic from the FML to the internet and SMTP traffic to the Exchange server. Thanks for any help. Matt.
15 REPLIES 15
Bromont_FTNT
Staff
Staff

Regular outbound mail from your mail server (Exchange etc) is working ok? Sounds like spammers are trying to relay through you and the Fortimail is doing it' s job blocking all that. Next issue is your Fortiguard AS problem... Can you post a screenshot of the AS status as well as what' s under Maintenance --> Fortiguard What do you get with an IP query to Fortiguard?
Mattlemon
New Contributor

Regular outbound mail from your mail server (Exchange etc) is working ok? Sounds like spammers are trying to relay through you and the Fortimail is doing it' s job blocking all that. Next issue is your Fortiguard AS problem... Can you post a screenshot of the AS status as well as what' s under Maintenance --> Fortiguard What do you get with an IP query to Fortiguard?
Hi, not all email from exchange is finding it' s way out but all incoming is fine. Screenshots attached. Thanks !
Mattlemon
New Contributor

Connected DAONDUB-FML # DAONDUB-FML # exec nslookup name service.fortiguard.net Non-authoritative answer: service.fortiguard.net canonical name = guard.fortinet.net. Name: guard.fortinet.net Address: 208.91.112.196 Name: guard.fortinet.net Address: 208.91.112.198 DAONDUB-FML # exec ping 208.91.112.196 PING 208.91.112.196 (208.91.112.196): 56 data bytes 64 bytes from 208.91.112.196: icmp_seq=0 ttl=44 time=156.1 ms 64 bytes from 208.91.112.196: icmp_seq=1 ttl=44 time=156.0 ms 64 bytes from 208.91.112.196: icmp_seq=2 ttl=44 time=156.1 ms 64 bytes from 208.91.112.196: icmp_seq=3 ttl=44 time=156.0 ms 64 bytes from 208.91.112.196: icmp_seq=4 ttl=44 time=156.0 ms --- 208.91.112.196 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 156.0/156.0/156.1 ms DAONDUB-FML #
Mattlemon
New Contributor

Licence info
Mattlemon
New Contributor

FDN Status
Mattlemon
New Contributor

Ping / Trace results
Bromont_FTNT
Staff
Staff

That first screenshot didn' t seem to make it through... For outbound mail from your mail server, are you able to find those messages that don' t make it out in the logs? try the following at CLI to get AS kickstarted again: #exec update now
Mattlemon
New Contributor

That first screenshot didn' t seem to make it through... For outbound mail from your mail server, are you able to find those messages that don' t make it out in the logs? try the following at CLI to get AS kickstarted again: #exec update now
I can' t see the emails that didn' t make it through in the log. I ran the CLI update and it kicked off an update but made no difference to the A/S unfortunately.
Bromont_FTNT
Staff
Staff

E-mails that don' t make it through...they never make it through? Or they are delayed? Is your timezone correct?
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors