Hello,
I try to configure my fortimail in full IPv6 settings. I'm able to manage the Fortimail on https port, I configured the basic settings :
- mail settings : settings, domain
- policy, access control : sender(external), recipient(internal), senderIP(::/0), action(relay)
- policy, policies : source/destination (::/0), session (inbound_session)
I did the same on an another Fortimail in IPv4 settings, and all connections are OK..
Is there any settings to enable to support IPv6 ?
I did a packet capture on FML and here is the result :
fortimail # diagnose sniffer packet any "port 25" 4 0
System Time: 2017-04-12 23:17:53 CEST (Uptime: 0d 2h 10m)
interfaces=[any]
filters=[port 25]
3.850562 port1 in 2001:xxxx:xxx:1:dd5d:40f1:f175:ce9b.4041 -> 2001:xxxx:xxx:db0::30.25: syn 1131742929
3.850615 port1 out 2001:xxxx:xxx:db0::30.25 -> 2001:xxxx:xxx:1:dd5d:40f1:f175:ce9b.4041: rst 0 ack 1131742930
4.356056 port1 in 2001:xxxx:xxx:1:dd5d:40f1:f175:ce9b.4041 -> 2001:xxxx:xxx:db0::30.25: syn 1131742929
4.356083 port1 out 2001:xxxx:xxx:db0::30.25 -> 2001:xxxx:xxx:1:dd5d:40f1:f175:ce9b.4041: rst 0 ack 1131742930
4.861313 port1 in 2001:xxxx:xxx:1:dd5d:40f1:f175:ce9b.4041 -> 2001:xxxx:xxx:db0::30.25: syn 1131742929
4.861356 port1 out 2001:xxxx:xxx:db0::30.25 -> 2001:xxxx:xxx:1:dd5d:40f1:f175:ce9b.4041: rst 0 ack 1131742930
Thanks in advance
Lucass
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Will your in the right path, so you have no listener on ipv6 for SMTP.
Can you try from the cli execute smtptest <your ipv6address> or ::1
Does any thing comes up? Do you see a banner ?
if yes can you see anything in the logs
e.g
execute smtptest ::1
HELO mydomain.com
MAIL FROM:test1@socpuppets.com
RCPT TO:someuser@yourdomain.com
PCNSE
NSE
StrongSwan
Hello emnoc,
Thank for your reply.
I tested right now and the connection fail :
fortimail # execute smtptest ::1 Connection refused
Connection status to ::1 port 25: Connecting to remote host failed.
(same error with my global IP)
I searched how to enable listener on my ipv6 address, but I didn't found it.. Could you please help me ?
Thanks again
Lucas
What does the cli cmd show
e.g
show full sys interface
I would start at that point either you have a valid ipv6 addressed interface or not.
Ken
PCNSE
NSE
StrongSwan
Here is the output :
fortimail (port1) # show full-configuration
config system interface
edit port1
set type physical
set mode static
set ip 0.0.0.0/0
set ip6 2001:xxxx:xxx:db0::30/64
set allowaccess https ping ssh
set mtu 1500
set speed auto
set status up
set mac-address 00:00:00:00:00:00
next
end
All the communication work fine for https ssh ping6, except SMTP..
Dumb questions
1: for the non ::1 loopback address, does a firewall exists ? ( this should have effect on the loopback ::1 )
2: Can you remove and re-add the ip6 address ( and retry the ::1 using execute smtptest )
e.g
revert port<X> back t ::/0
then from the cli test loopback if successful re-apply the interface ipv6 address and re-test
e.g
execute smtptest ::1
HELO meat.google.com
MAIL FROM:auser1@yourdomain.com
RCPT TO:auser@yourdomain.com
DATA
"a test test test test "
.
DOES YOUR LOGS SHOWING ANYTHING ?
3: do you have a support contract? ( could be a bug )
4: what fortimail version are you running ? ( your might need a upgrade )
5: did you look at the ipv6 details
If your loopback does not work, you have major issues. The cfg looks good. Even if the fgt drops the mail due to policy the log event should have something similar to
v3DEMDi6012341 [IPv6:::1] ::1 11 out
Other commands to run ;
diag netlink interface list loopback
diag netlink ipv6 list
PCNSE
NSE
StrongSwan
1) yes, there is a firewall between my workstation and fortimail. I just test to bypass it and the issue is always here
2) done. exec smtptest ::1 still not work. I try to configure the IPv6 ip on different interface, same issue
3) yes, I think I will open a case next week
4) the last release : 5.3.9. Which firmware are you using on yours ?
5) I checked my config 20 times.. For me, all is correctly configured
The debug command show the correct IP without any error on my interfaces..
I will open a case and get you a feedback
Lucas
I'm on 5.1.6 so can't help you,but I did just login into a 5.2 appliance it also works loopback interface
Last question (its dumb but needs asking ) are you running on std tcp/25 for mail-services
? if this is a ipv6 only check that mail-settings was not messed up/ If ipv4 is working, than disregard.
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.