Good day family,
Background:
We have 2 ISP (like most companies do for fault tolerance) Fortimail worked well until incoming mails (external) stopped coming/not being logged at all. My manager switched over to the other ISP2 for incoming mails (with the concern about our mail server being on the DNSBL due to public IP change) to start working coming in.
Timeline:
May 21, 2024 : ISP 1 went down, ISP 1 is designated for smtp traffic, no more incoming mails (ex
ternal & internal), neither being logged in Fortimail.
May 21-22, 2024 : Failed over to ISP2, Fortimail incoming mails(external, internal) started coming in and being logged.
May 22-23, 2024 : With ISP1 still down and Fortimail still coming, An IT team member made some change in either the public dns/DynDNS or Fortigate Firewall. As are result, no more external mails are being received as well as being logged in Fortimail. Internal mails are being received locally, but not logged in Fortimail.
Current situation:
1. Local/internal mails are routed/going on fine within the LAN but NOT being logged in Fortimail
2. Officers can SEND outgoing mails externally as before.
3. Fortimail has repeated Fortiguard AntiSpam-IP - classifier messages with a disposition of REJECT.
4. ISP1 is now back online, switched back to it for smtp traffic, but still no incoming(external) mails, no Fortimail logging either.
Essentially, every attempt from an outsider to send us an email results in this Fortiguard AntiSpam-IP / Reject message.
Kindly see attached images:
1. Fortimail Logs (A LOT of these messages since May 23, especially when the IT member made changes - Still need to ask where and what change was made)
2. A message one of our vendors received while attempting to send us a mail.
Please note, I had made no changes to private DNS server and/or Fortimail configurations during this whole debacle, all are the same, so I am not sure what is going on.
Kindly see post below. Could this be happening to me.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi NeoRant
I agree with Abelio.
- Local to local mails are not sent to FortiMail.
- Both IP listed in you post are blocklisted in FortiGuard.
- The shared DNS error from your vendors probably means you have a public DNS issue, like if it couldn't resolve your domain or your MX for example.
- On the other hand as good practice, spams or connections from bad IP should not be rejected, but quarantined (default) or silently blocked.
Hi AEK,
I believe you analysis is correct. The fwl team did go to DYNDNS and did some stuff which I have not the time to double check. I am wondering if this is actually a public dns issue indeed. Because I changed NOTHING in my FML settings/configurations before and during the whole ISP1 going down, failing over to ISP2, then switching smtp traffic(in fortigate) to ISP2(on a different IP) debacle. My Fortimai worked perfectly, I believe the FWL team messed up something in DYNDNS or the fwl. Not sure.
AEK, I will investigate and update both you. lokango and Abello when i speak to the FWL team tomorrow morning.
Regards
Yes, I know the AntiSpam filter is working because I can se messages to the domain in the log getting caught by things like Fortiguard AntiSpam, SPK checks DKIM checks, etc. However I never see a single entry in the monitor->greylist and none of the stats in the dashboard ever show anything listed for greylist https://speedtest.vet/ .
Hi Iokango,
Greylisting was not implemented/used as per instruction. Everything worked fine before. Kindly tell me why the concern about greylisting?
Hi NeoRant
comment on your 1: "Local/internal" email are generally delivered within the email server environment, so, it seems reasonable you don't see logs in your gateway FML. An email from neo@domain sent to rant@domain, being 'domain' defined in your email server doesn't needs to go to fortimail to be delivered.
comment on your 3:
Logs posted could be helpful.
"Policy ID: 0:1:0 " indicates that those emails were matched for only one IP-policy; check your Antispam profile for IP policy 1, verify your antispam action for Fortiguard Scan configuration.
IP 43.248.103.79 is listed in Fortiguard, as you can verify in https://www.fortiguard.com/services/antispam ; so the detection is working properly
Your Configured Action is reject for such scan filter.
4- If you don't have fortimail logs, I'll double-check configuration not in the fortimail, but in your upstream router/firewall.
Is it a FortiGate? double-check ViP and related firewall policy for ISP1 email traffic ; be sure you are NO-Natting it
regards
/ Abel
Hi Abello,
It is a Fortigate fwl yes. The fml is configured log internal mails within LAN as well. Both from internet and locally are logged.
Hi NeoRant
I agree with Abelio.
- Local to local mails are not sent to FortiMail.
- Both IP listed in you post are blocklisted in FortiGuard.
- The shared DNS error from your vendors probably means you have a public DNS issue, like if it couldn't resolve your domain or your MX for example.
- On the other hand as good practice, spams or connections from bad IP should not be rejected, but quarantined (default) or silently blocked.
Hi AEK,
I believe you analysis is correct. The fwl team did go to DYNDNS and did some stuff which I have not the time to double check. I am wondering if this is actually a public dns issue indeed. Because I changed NOTHING in my FML settings/configurations before and during the whole ISP1 going down, failing over to ISP2, then switching smtp traffic(in fortigate) to ISP2(on a different IP) debacle. My Fortimai worked perfectly, I believe the FWL team messed up something in DYNDNS or the fwl. Not sure.
AEK, I will investigate and update both you. lokango and Abello when i speak to the FWL team tomorrow morning.
Regards
Good day all,
This was resolved by the FWL team and possibly a public dns issue indeed, clearly I changed nothing, my fml settings were ok/untouched, same as before and during production. The fwl team rectified their errors. Mails are flowing in as before, inspections etc. Thanks for support and guidance everyone.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1720 | |
1093 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.