Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDLP
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGuard
- FortiGate Cloud
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- SMTP Servers see Firewall IP rather than Sending ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SMTP Servers see Firewall IP rather than Sending Domain' s IP
We have an interesting problem we recently uncovered. While I do not think the problem is with the Fortigate 200A at this time, I was hoping someone could give me some insight on what conditions could cause the firewall to send its own aministrative public IP address rather than the public IP of the virtual IP for the sending domain to another email server.
We have two MDaemon email servers behind a single Fortigate 200A. We use NAT mode and virtual IP' s to translate internal, non-routable IP' s to public IPs. Each mail server hosts a couple of domains. There is only one single outbound policy on the Fortigate. Each domain has its own virtual IP so there is the internal as external IPs for each.
We recently noticed that some outbound SMTP transactions were getting rejected by the receiving email server due to the absence of a DNS PTR record for the IP. However all of the domains have PTR records. We then realized the receiving server was seeing the Fortigate' s public admin IP and not the virtual public IP of the sending domain as it should. There is no PTR record for the firewall admin IP so of course the email is rejected.
Only of the MDaemon email servers is experiencing this problem so this makes us think the Fortigate is not the source. Also, all the domains (and thus multiple virtual IPs) are affected on the MDaemon server that is experiencing the problem. The bad MDaemon email server was upgraded to version 10 a few weeks back and everything so far seems to point to it as the source of the issue.
We will be moving the MD v10 email server back to a previous version to match the one that is currently ok.
My question is what would the email server have to do in order for the Fortigate to use its own public admin IP rather than the public virtual IP? My simple guess is that the email server is not binding to any internal IP that the Fortigate recognizes and thus its having to use its own IP. I am not a network engineer so this is an uneducated guess. Could someone provide some inside to what might be causing this issue?
A different but somewhat related question is I noticed I have NAT checked on the single outbound policy but not on any of the inbound ones. Should the outbound policy have NAT checked?
Thanks so much in advance.
Don
Don Draper
Don Draper
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for prompt reply.
Create an IP Pool with the virtual public IP. On your outbound policy that handles the SMTP traffic, set the NAT to use the IP Pool.I have never had to do this before so can you elaborate on why I would do this. My other mail server behind the same Fortigate is working fine such that the outbound emails have the correct public IP of the sending domain (VIP) and not the fortigate. Also, I have only one outbound policy for all services. Perhaps I need to create service specific outbound policies but this may be outside the scope of my current issue.
To your second question. You mentioned that you " translate internal, non routable IP' s to public IPs." that' s already the answer: When you do not NAT on your outbound policies, your non routable internal IP' s are set as Source Address. The packets from the target will not find it' s way back to you.So if understand what you are saying here...I have to have the NAT checked on my outbound policy. Correct? Thanks again. Your assistance is very much appreciated.
Don Draper
Don Draper
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have never had to do this before so can you elaborate on why I would do this.exactly following Maik´s advice. Within VirtualIP menu, you´ll find IP pool menu; create a new one with just one IP in this range (IP public you want visible for your mailserver), interface, the outbund one. Now, your outbound firewall policies will have an extra dropbox to choose your ip pool.
My other mail server behind the same Fortigate is working fine such that the outbound emails have the correct public IP of the sending domain (VIP) and not the fortigate.this can only happen when your external public address matches mailserver public IP. (and VIP external IP logically)
Also, I have only one outbound policy for all services. Perhaps I need to create service specific outbound policies but this may be outside the scope of my current issue.exactly. Define a new outbound policy just for outgoing email, use it your IP pool as Maik pointed, and put the policy above other with same src/destination and that´s all. regards
regards
/ Abel
regards
/ Abel
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks very much for the prompt replies. I found the problem. We had changed one of our VIPs to accomodate a new web site but had failed to make the same change in the email server. I guess since the Fortigate did not recognize the email servers internal IP (that was changed in VIP change), it had to use its own. We had looked at that multiple times so I guess it was a case of just being too close.
Each of our hosted domains (just a handful) each have their own public IP so we use VIPs for each one. In other words, a direct 1 to 1 internal to public IP translation. So we have never had to use pools in the past. I will read up on this more however as I sure this would be helpful in the future.
Thanks again.
Don Draper
Don Draper
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess since the Fortigate did not recognize the email servers internal IP (that was changed in VIP change), it had to use its own. We had looked at that multiple times so I guess it was a case of just being too close.not exactly; from administration guide: Enable or disable Network Address Translation (NAT) of the source address and port of packets accepted by the policy. When NAT is enabled, you can also configure Dynamic IP Pool and Fixed Port. If this option is not selected, but a virtual IP is selected as the Destination Address, the FortiGate unit performs destination NAT (DNAT) rather than full NAT. Source NAT (SNAT) is not performed. regards
regards
/ Abel
regards
/ Abel
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- FortiGate Firewall Can Sending Logs to... 113 Views
- Prevent randomization of source port 179 Views
- Fortigate DNS Settings 214 Views
- How to send destination domain to... 238 Views
- Forti vm strange request 384 Views
Labels
-
FortiGate
8,348 -
FortiClient
1,688 -
5.2
801 -
FortiManager
703 -
5.4
639 -
FortiAnalyzer
533 -
FortiSwitch
452 -
FortiAP
446 -
6.0
416 -
FortiClient EMS
394 -
5.6
362 -
FortiMail
307 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
205 -
5.0
196 -
FortiWeb
194 -
IPsec
174 -
FortiNAC
171 -
FortiGuard
132 -
6.4
128 -
SD-WAN
102 -
FortiGateCloud
100 -
FortiSIEM
96 -
FortiCloud Products
95 -
FortiToken
88 -
FortiAuthenticator
80 -
Customer Service
76 -
Wireless Controller
76 -
Firewall policy
67 -
4.0MR3
64 -
FortiProxy
56 -
Fortivoice
50 -
FortiEDR
50 -
FortiADC
50 -
High Availability
48 -
vlan
47 -
ZTNA
45 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
BGP
37 -
LDAP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Interface
31 -
NAT
30 -
Authentication
29 -
SSO
29 -
FortiConnect
27 -
RADIUS
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Web profile
23 -
Application control
22 -
Virtual IP
22 -
Logging
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
FortiPAM
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
FortiGate v5.0
14 -
OSPF
14 -
WAN optimization
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiCASB
12 -
SNMP
12 -
Automation
12 -
Admin
12 -
System settings
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiSOAR
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
Proxy policy
9 -
FortiBridge
8 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
Traffic shaping policy
7 -
Fabric connector
7 -
Intrusion prevention
7 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
Explicit proxy
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
Cloud Management Security
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1633 | |
| 1063 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.