Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiMail 90% Access Control (OUTBOUND)
Hi,
I have an FML that seems to be working fine for receiving email but when looking at the graph for outbound ermail it shows 80+ % if emails are blocked by Access Control - Relay denied. Some emails get out.
When looking at the log I don' t see internal (Protected) email addresses in the from field. I also see on the status page that AV and VMWare are green checks but the AntiSpam is orange. I' ve changed the port from 53 to 8888 and 8889 but it makes no difference. I can resolve the service.fortiguard.net and can ping the IP that it resolves to.
The FML is using only one interface which is connected to an FGT and the FGT allows all traffic from the FML to the internet and SMTP traffic to the Exchange server.
Thanks for any help.
Matt.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
- « Previous
-
- 1
- 2
- Next »
15 REPLIES 15
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yup, the timezone is correct. The ones that don' t make it though don' t seem to get through at all but there are others that are delayed by an hour or two as well. Makes no sense.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have an IP policy for your mail/exchange server that has a session profile with Sender Reputation disabled?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do now. I also changed Exchange to stop using the " Smart Host" FML and send directly. It sent out all of the email straight away, the ones that I created hours ago all arrived which is odd, I would have thought that FML was queuing them but apparently it' s Exchange though only when talking to FML.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you had a session profile with sender reputation enabled that your Exchange server was using then much of your outbound mail would have been throttled back by sender reputation.
How' s Fortiguard AS looking now?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I haven' t switched Exchange back to going out through the FML yet as the AS is still orange and I want to get the resolved first.
The logs in AntiSpam mainly give the message " FortiGuard-Antispam: No Answer from server." That makes no sense since I can resolve the DNS from the FML, I can ping it so there is a route. Traceroute fails somewhere in the core but that' s probably due to switches having ICMP turned off. It also fails from my PC which is on a different VLAN and subnet.
The policy that allows the FML out to the Internet allows all traffic for all destinations from all sources so I can' t for the life of me see what the issue is :(
Matt.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, this is resolved now.
I was having issues with getting the A/S service to connect to FDN. Turns out that the firewall was doing deep packet inspection of outbound traffic and the default port 53 that it uses to communicate over is allowed out BUT the packets don' t look anything like a DNS request so were rejected. That' s why I could ping but not connect.
I tried changing to 8888 and 8889 but still no luck. Eventually, I ran Diag Sniffer Packet on the interface that FML was connected to and just captured traffic going to FDN. I could see the port 53 traffic coming into the firewall but no corresponging replies. So, with the filter still on I changed it to talk over 8888 and 8889 but the traffic remained on port 53. I stopped the service to check that I was looking at the right traffic and sure enough it stopped. When started the service again it changed to 8888 and away it went working perfectly.
The answer is that the ' Apply' button doesn' t work as it ought to, it saves the changes but doesn' t apply them. I guess a change then reboot would work but just stopping and restarting the service does the trick.
- « Previous
-
- 1
- 2
- Next »