Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
NeoRant
Contributor

Created on ‎05-24-2024 01:33 PM

Fortimail - No incoming mails(external) - FortiGuard AntiSpam-IP - Reject

blacklisted2.jpgBlacklisted.jpgpastedImage.png

 

 

 

Good day family,

 

Background:

We have 2 ISP (like most companies do for fault tolerance)  Fortimail worked well until incoming mails (external) stopped coming/not being logged at all. My manager switched over to the other ISP2 for incoming mails (with the concern about our mail server being on the DNSBL due to public IP change) to start working coming in.

 

Timeline:

May 21, 2024 : ISP 1 went down, ISP 1 is designated for smtp traffic, no more incoming mails (ex

ternal & internal), neither being logged in Fortimail.

May 21-22, 2024 : Failed over to ISP2,  Fortimail incoming mails(external, internal) started coming in and being logged.

May 22-23, 2024 : With ISP1 still down and Fortimail still coming, An IT team member made some change in either the public dns/DynDNS or Fortigate Firewall. As are result, no more external mails are being received as well as being logged in Fortimail. Internal mails are being received locally, but not logged in Fortimail.

 

Current situation:

1. Local/internal mails are routed/going on fine within the LAN but NOT being logged in Fortimail

2. Officers can SEND outgoing mails externally as before.

3. Fortimail has repeated Fortiguard AntiSpam-IP - classifier messages with a disposition of REJECT

4. ISP1 is now back online, switched back to it for smtp traffic, but still no incoming(external) mails, no Fortimail logging either.

 

Essentially, every attempt from an outsider to send us an email results in this Fortiguard AntiSpam-IP / Reject message. 

 

Kindly see attached images:

1. Fortimail Logs (A LOT of these messages since May 23, especially when the IT member made changes - Still need to ask where and what change was made)

2. A message one of our vendors received while attempting to send us a mail.

 

Please note, I had made no changes to private DNS server and/or Fortimail configurations during this whole debacle, all are the same, so I am not sure what is going on.

 

 

Kindly see post below. Could this be happening to me.

https://serverfault.com/questions/786898/fortimail-antispam-has-blacklisted-the-internal-exchange-ma...

 

 

Labels:
1422
0 Kudos
2 Solutions
AEK
SuperUser
SuperUser

Created on ‎05-25-2024 11:55 AM

Hi NeoRant

I agree with Abelio.

- Local to local mails are not sent to FortiMail.

- Both IP listed in you post are blocklisted in FortiGuard.

 

fgd1.png
fgd2.png

 

- The shared DNS error from your vendors probably means you have a public DNS issue, like if it couldn't resolve your domain or your MX for example.

- On the other hand as good practice, spams or connections from bad IP should not be rejected, but quarantined (default) or silently blocked.

AEK

View solution in original post

AEK
1321
NeoRant
Contributor
In response to AEK

Created on ‎05-26-2024 09:13 PM

Hi AEK,

 

I believe you analysis is correct. The fwl team did go to DYNDNS and did some stuff which I have not the time to double check. I am wondering if this is actually a public dns issue indeed. Because I changed NOTHING in my FML settings/configurations before and during the whole ISP1 going down, failing over to ISP2, then switching smtp traffic(in fortigate) to ISP2(on a different IP) debacle. My Fortimai worked perfectly, I believe the FWL team messed up something in DYNDNS or the fwl. Not sure.

 

AEK, I will investigate and update both you. lokango  and Abello when i speak to the FWL team tomorrow morning.

 

Regards

View solution in original post

1275
0 Kudos
7 REPLIES 7
lokango
New Contributor

Created on ‎05-25-2024 12:28 AM Edited on ‎05-28-2024 02:17 PM

Yes, I know the AntiSpam filter is working because I can se messages to the domain in the log getting caught by things like Fortiguard AntiSpam, SPK checks DKIM checks, etc. However I never see a single entry in the monitor->greylist and none of the stats in the dashboard ever show anything listed for greylist https://speedtest.vet/  .

1380
NeoRant
Contributor
In response to lokango

Created on ‎05-25-2024 08:57 AM

Hi Iokango,

 

Greylisting was not implemented/used as per instruction. Everything worked fine before. Kindly tell me why the concern about greylisting?

1346
0 Kudos
abelio
SuperUser
SuperUser

Created on ‎05-25-2024 10:19 AM Edited on ‎05-25-2024 10:20 AM

Hi NeoRant

 

comment on your 1:  "Local/internal" email are generally delivered within the email server environment, so, it seems reasonable you don't see logs in your gateway  FML. An email from neo@domain sent to rant@domain, being 'domain'  defined in your email server doesn't needs to go to fortimail to be delivered.

 

comment on your 3: 
Logs posted could be helpful. 
"Policy ID: 0:1:0 "  indicates that those emails were matched for only one IP-policy; check your Antispam profile for IP policy 1, verify your antispam action for Fortiguard Scan configuration.
IP 43.248.103.79 is listed in Fortiguard,  as you can verify in https://www.fortiguard.com/services/antispam  ; so the detection is working properly
Your Configured Action is reject for such scan filter.

 

4- If you don't have fortimail logs, I'll double-check configuration not in the fortimail, but in your upstream router/firewall.  
Is it a FortiGate? double-check ViP and related firewall policy for ISP1 email traffic ; be sure you are NO-Natting  it

 


 

regards




/ Abel

regards / Abel
1339
NeoRant
Contributor
In response to abelio

Created on ‎05-26-2024 09:07 PM

Hi Abello, 

 

It is a Fortigate fwl yes. The fml is configured log internal mails within LAN as well. Both from internet and locally are logged.

1279
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎05-25-2024 11:55 AM

Hi NeoRant

I agree with Abelio.

- Local to local mails are not sent to FortiMail.

- Both IP listed in you post are blocklisted in FortiGuard.

 

fgd1.png
fgd2.png

 

- The shared DNS error from your vendors probably means you have a public DNS issue, like if it couldn't resolve your domain or your MX for example.

- On the other hand as good practice, spams or connections from bad IP should not be rejected, but quarantined (default) or silently blocked.

AEK
AEK
1322
NeoRant
Contributor
In response to AEK

Created on ‎05-26-2024 09:13 PM

Hi AEK,

 

I believe you analysis is correct. The fwl team did go to DYNDNS and did some stuff which I have not the time to double check. I am wondering if this is actually a public dns issue indeed. Because I changed NOTHING in my FML settings/configurations before and during the whole ISP1 going down, failing over to ISP2, then switching smtp traffic(in fortigate) to ISP2(on a different IP) debacle. My Fortimai worked perfectly, I believe the FWL team messed up something in DYNDNS or the fwl. Not sure.

 

AEK, I will investigate and update both you. lokango  and Abello when i speak to the FWL team tomorrow morning.

 

Regards

1276
0 Kudos
NeoRant
Contributor

Created on ‎05-28-2024 08:12 AM

Good day all, 

 

This was resolved by the FWL team and possibly a public dns issue indeed, clearly I changed nothing, my fml settings were ok/untouched, same as before and during production. The fwl team rectified their errors.  Mails are flowing in as before, inspections etc. Thanks for support and guidance everyone.

1206
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.