- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPV6 - unable to connect to fortimail on SMTP port
Hello,
I try to configure my fortimail in full IPv6 settings. I'm able to manage the Fortimail on https port, I configured the basic settings :
- mail settings : settings, domain
- policy, access control : sender(external), recipient(internal), senderIP(::/0), action(relay)
- policy, policies : source/destination (::/0), session (inbound_session)
I did the same on an another Fortimail in IPv4 settings, and all connections are OK..
Is there any settings to enable to support IPv6 ?
I did a packet capture on FML and here is the result :
fortimail # diagnose sniffer packet any "port 25" 4 0
System Time: 2017-04-12 23:17:53 CEST (Uptime: 0d 2h 10m)
interfaces=[any]
filters=[port 25]
3.850562 port1 in 2001:xxxx:xxx:1:dd5d:40f1:f175:ce9b.4041 -> 2001:xxxx:xxx:db0::30.25: syn 1131742929
3.850615 port1 out 2001:xxxx:xxx:db0::30.25 -> 2001:xxxx:xxx:1:dd5d:40f1:f175:ce9b.4041: rst 0 ack 1131742930
4.356056 port1 in 2001:xxxx:xxx:1:dd5d:40f1:f175:ce9b.4041 -> 2001:xxxx:xxx:db0::30.25: syn 1131742929
4.356083 port1 out 2001:xxxx:xxx:db0::30.25 -> 2001:xxxx:xxx:1:dd5d:40f1:f175:ce9b.4041: rst 0 ack 1131742930
4.861313 port1 in 2001:xxxx:xxx:1:dd5d:40f1:f175:ce9b.4041 -> 2001:xxxx:xxx:db0::30.25: syn 1131742929
4.861356 port1 out 2001:xxxx:xxx:db0::30.25 -> 2001:xxxx:xxx:1:dd5d:40f1:f175:ce9b.4041: rst 0 ack 1131742930
Thanks in advance
Lucass
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Will your in the right path, so you have no listener on ipv6 for SMTP.
Can you try from the cli execute smtptest <your ipv6address> or ::1
Does any thing comes up? Do you see a banner ?
if yes can you see anything in the logs
e.g
execute smtptest ::1
HELO mydomain.com
MAIL FROM:test1@socpuppets.com
RCPT TO:someuser@yourdomain.com
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello emnoc,
Thank for your reply.
I tested right now and the connection fail :
fortimail # execute smtptest ::1 Connection refused
Connection status to ::1 port 25: Connecting to remote host failed.
(same error with my global IP)
I searched how to enable listener on my ipv6 address, but I didn't found it.. Could you please help me ?
Thanks again
Lucas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What does the cli cmd show
e.g
show full sys interface
I would start at that point either you have a valid ipv6 addressed interface or not.
Ken
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is the output :
fortimail (port1) # show full-configuration
config system interface
edit port1
set type physical
set mode static
set ip 0.0.0.0/0
set ip6 2001:xxxx:xxx:db0::30/64
set allowaccess https ping ssh
set mtu 1500
set speed auto
set status up
set mac-address 00:00:00:00:00:00
next
end
All the communication work fine for https ssh ping6, except SMTP..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dumb questions
1: for the non ::1 loopback address, does a firewall exists ? ( this should have effect on the loopback ::1 )
2: Can you remove and re-add the ip6 address ( and retry the ::1 using execute smtptest )
e.g
revert port<X> back t ::/0
then from the cli test loopback if successful re-apply the interface ipv6 address and re-test
e.g
execute smtptest ::1
HELO meat.google.com
MAIL FROM:auser1@yourdomain.com
RCPT TO:auser@yourdomain.com
DATA
"a test test test test "
.
DOES YOUR LOGS SHOWING ANYTHING ?
3: do you have a support contract? ( could be a bug )
4: what fortimail version are you running ? ( your might need a upgrade )
5: did you look at the ipv6 details
If your loopback does not work, you have major issues. The cfg looks good. Even if the fgt drops the mail due to policy the log event should have something similar to
v3DEMDi6012341 [IPv6:::1] ::1 11 out
Other commands to run ;
diag netlink interface list loopback
diag netlink ipv6 list
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) yes, there is a firewall between my workstation and fortimail. I just test to bypass it and the issue is always here
2) done. exec smtptest ::1 still not work. I try to configure the IPv6 ip on different interface, same issue
3) yes, I think I will open a case next week
4) the last release : 5.3.9. Which firmware are you using on yours ?
5) I checked my config 20 times.. For me, all is correctly configured
The debug command show the correct IP without any error on my interfaces..
I will open a case and get you a feedback
Lucas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm on 5.1.6 so can't help you,but I did just login into a 5.2 appliance it also works loopback interface
Last question (its dumb but needs asking ) are you running on std tcp/25 for mail-services
? if this is a ipv6 only check that mail-settings was not messed up/ If ipv4 is working, than disregard.
PCNSE
NSE
StrongSwan