I just installed my Fortigate 100D in NAT mode, everything passes correctly except messaging traffic. I have my Exchange Server with the Modusgate antispam (in the same server) in my LAN. In Fortigate I created a policy for outbound messaging traffic by allowing all services from the Exchange server, I also created a policy for incoming traffic to the Exchange server and allowed smtp and https services. problem: All the emails I receive are blocked by my local Antispam, if I disconnect the Fortigate all come back correctly i normally receive emails. I even disable all security profiles in policy lan to wan and wan to lan, but the problem persists, I think the Fortigate makes modifications on my packets smtp that's why my Antispam considers them spam !! Please, how do I make the fortigate pass the email traffic without any modification. Is it necessary to create a NAT or Policy route to the Exchange server that is in my LAN or lets it only the Policy?
Regard,
Did you configure virtual IP for all the ports of Exchange? I use the Fortimail 200D. The MX record traffic goes to the 200D first. I changed the IP of the Exchange server by one. The fortimail 200D forwards to the Exchange server. How does SMTP route through your 100D to the Exchange server?
diag debug flow is your friend
I have agreed to ensure that SNAT is disable, and monitor the origin ipv4-addr that's making the attempt to the mail-server
Ken
PCNSE
NSE
StrongSwan
Hi,
zhunissov4, SC SlraidGURU, emnoc,
Thank you for your answers The ISP sends all mail traffic to the WAN1 address of FG 172.16.1.2 FG WAN1 address: 172.16.1.2 / 24 FG LAN address: 112.112.112.1 / 24 Exchange Server Address 112.112.112.1 / 24 Address of the Antispam Modus gate 112.112.112.1 / 24 (in the same server with server exchange)
In the FG, I created a VIP-based policy (without any security profile) to direct port 25 and 443 traffic to my exchange server Internal: VIP: 172.16.1.2> 112.112.112.1 port 25 VIP: 172.16.1.2> 112.112.112.1 port 443
My Modusgate Antispam server puts all emails in the spam, and when I logged in Modus support, we found that the FG modifies the source address of the packets, In the normal case Modus must receive emails with the address of the sender of the mail as source address and not the address of the Fortigate.
Unfortunately I can not do the tests right away because I disconnected the FG from the production, Please, in your opinion, disabling the NAT in the POLIcy will prevent the FG from modifying the source address of the packets ??
Regard,
Thank you very much zhunissov4,
I will disable NAT and see what this gives...
Regard,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.