Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ideait
New Contributor II

Fortimail SMTP AUTH Failure From clients that do not use web mail (ex: printers, mobile client)

Hi, I have this problem related to my Fortimail unit.

I have installed the fortimail unit in front of a zimbra mail server in transparent mode, on the same DMZ subnet and obviously behind the fortigate.

Incoming connections are coming from port 1 configured for smtp proxy are inbound and enabling local connections

While the server is enabled on port 3 and is in pass trought both incoming and outgoing.

On the fortimail unit only one domain "example.com" is configured and the relay type is set as HOST by specifying the IP address of the mail server behind the fortimail unit, making the conection rest on relay host, everything works.

I can send mails and receive them without any problems, again from webmail.

On the other hand, when I try to connect with a client from an external network such as a mobile device or from an internal network such as a printer that sends scans via mail.

I get the error SMTP AUTH Failure.

Conversely, if the relay type on the domain is set as MX record and no longer specifying the mail server host, the error no longer occurs

But the fortimail unit no longer collects the logs, as if it engorges to protect that domain by being completely transparent and not performing any kind of control over the mail traffic in transit.

What could the SMTP AUTH failure error be due to?
I have also tried creating an SMTP authentication profile and associating it with an IP policy that allows traffic from any ip address to any address ip

 

Miguel Sotomayor Gonzalez
Miguel Sotomayor Gonzalez
1 Solution
ideait
New Contributor II

I solved the issue, basically I had to enable the proxy even for outbound sessions which are handled by a separate entry in system->mail setting->proxy
Next I created an SMTP authentication profile that would send back to my server on port 465 enabling SSL and STARTTLS.
This profile was associated with an Ip-policy and enabled SMTP authentication, as well as baypassed the spam check for authenticated SMTP connections.

Miguel Sotomayor Gonzalez

View solution in original post

Miguel Sotomayor Gonzalez
10 REPLIES 10
Anthony_E
Community Manager
Community Manager

Hello Miguel,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Regards,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello Miguel,

 

I have found this KB article which explain how to disable SMTP Auth failure:

 

https://community.fortinet.com/t5/FortiMail/Technical-Tip-How-to-disable-SMTP-Auth-Failure-log/ta-p/...

 

Could you please tell me if it helped?

 

Regards,

Anthony-Fortinet Community Team.
ideait
New Contributor II

Hi, I had found this article as well, but it eliminates the log related to this error, in any case I keep having connection problems from internal network printers (which send scans via email with an account stampante@exemple.com)
and with connection from client (outlook, mail on smartphone or similar software) while webmail works regularly.

Regards

Miguel Sotomayor Gonzalez

Miguel Sotomayor Gonzalez
Miguel Sotomayor Gonzalez
Markus_M

Hi Miguel,

 

check first what the SMTP failure shows up for in the logs (Monitor > logs). Then you may be able to guess more on why this fails?

Do you have clients that work fine and are not using the webmail?

 

Best regards,

 

Markus

ideait
New Contributor II

This is an example of a log of a stamapante on a local network trying to inveigle an email scan.

#,"Date","Time","Classifier","Disposition","From","Header From","To","Subject","Message-ID","Length","Session ID","Client IP","Location","Client Name","Direction","Policy ID","Domain","Destination IP","Transfer Time","Scan Time","Log ID"
1186,"2022-09-19","10:33:44.774","SMTP Auth Failure","Reject","stampante","","","","",0,"28J8XieR004413-28J8XieT004413","192.168.0.73","ZZ","","unknown","0:1:1:SYSTEM","","192.168.10.6",0,0,"0200004413"


Currently, I have no client that works without using webmail, whether the client is in the same subnet, or coming from outside presenting itself with public IP address

Miguel Sotomayor Gonzalez
Miguel Sotomayor Gonzalez
Markus_M

Hi Miguel,

 

not sure if your FortiMail is in gateway mode for the mails passing through; that is one requirement. You seem to run it successfully in server mode.

 

The other requirement will be that your policies on the FortiMail will need to be reflecting your inbound traffic from the respective addresses.

IP policies I think are the minimum.

https://docs.fortinet.com/document/fortimail/7.2.0/administration-guide/331496/how-to-use-policies

Might help for a start to confirm what your settings there are.

 

Best regards,

 

Markus

ideait
New Contributor II

As described earlier my fortimail unit is in transaprent mode, installed in front of the zimbra mail server via a physical NIC on port 3, while on port 1 it connects to the fortigate.

Miguel Sotomayor Gonzalez
Miguel Sotomayor Gonzalez
Anthony_E
Community Manager
Community Manager

Hello,

 

Thank s a lot and we will contine to look for a solution.

 

Regards,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello,

 

I have found this document:

 

https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/fortigate-ssl-vpn-tutorial#config...

 

Could you please tell me if it helped?

 

Regards,

Anthony-Fortinet Community Team.
Labels
Top Kudoed Authors