Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mattlemon
New Contributor

FortiMail 90% Access Control (OUTBOUND)

Hi, I have an FML that seems to be working fine for receiving email but when looking at the graph for outbound ermail it shows 80+ % if emails are blocked by Access Control - Relay denied. Some emails get out. When looking at the log I don' t see internal (Protected) email addresses in the from field. I also see on the status page that AV and VMWare are green checks but the AntiSpam is orange. I' ve changed the port from 53 to 8888 and 8889 but it makes no difference. I can resolve the service.fortiguard.net and can ping the IP that it resolves to. The FML is using only one interface which is connected to an FGT and the FGT allows all traffic from the FML to the internet and SMTP traffic to the Exchange server. Thanks for any help. Matt.
15 REPLIES 15
Mattlemon
New Contributor

Yup, the timezone is correct. The ones that don' t make it though don' t seem to get through at all but there are others that are delayed by an hour or two as well. Makes no sense.
Bromont_FTNT
Staff
Staff

Do you have an IP policy for your mail/exchange server that has a session profile with Sender Reputation disabled?
Mattlemon
New Contributor

I do now. I also changed Exchange to stop using the " Smart Host" FML and send directly. It sent out all of the email straight away, the ones that I created hours ago all arrived which is odd, I would have thought that FML was queuing them but apparently it' s Exchange though only when talking to FML.
Bromont_FTNT
Staff
Staff

If you had a session profile with sender reputation enabled that your Exchange server was using then much of your outbound mail would have been throttled back by sender reputation. How' s Fortiguard AS looking now?
Mattlemon
New Contributor

I haven' t switched Exchange back to going out through the FML yet as the AS is still orange and I want to get the resolved first. The logs in AntiSpam mainly give the message " FortiGuard-Antispam: No Answer from server." That makes no sense since I can resolve the DNS from the FML, I can ping it so there is a route. Traceroute fails somewhere in the core but that' s probably due to switches having ICMP turned off. It also fails from my PC which is on a different VLAN and subnet. The policy that allows the FML out to the Internet allows all traffic for all destinations from all sources so I can' t for the life of me see what the issue is :( Matt.
Mattlemon
New Contributor

OK, this is resolved now. I was having issues with getting the A/S service to connect to FDN. Turns out that the firewall was doing deep packet inspection of outbound traffic and the default port 53 that it uses to communicate over is allowed out BUT the packets don' t look anything like a DNS request so were rejected. That' s why I could ping but not connect. I tried changing to 8888 and 8889 but still no luck. Eventually, I ran Diag Sniffer Packet on the interface that FML was connected to and just captured traffic going to FDN. I could see the port 53 traffic coming into the firewall but no corresponging replies. So, with the filter still on I changed it to talk over 8888 and 8889 but the traffic remained on port 53. I stopped the service to check that I was looking at the right traffic and sure enough it stopped. When started the service again it changed to 8888 and away it went working perfectly. The answer is that the ' Apply' button doesn' t work as it ought to, it saves the changes but doesn' t apply them. I guess a change then reboot would work but just stopping and restarting the service does the trick.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors