Hello,
In the company, we use Thunderbird and Outlook every day at 10 a.m. our e-mail STMP stop working.
This happens for exactly an hour then everything returns to normal again. We cannot send e-mails but can receive. The e-mail works properly on the website. Additionally, on several e-mail servers and it is the same.
I connected directly to the router from which the internet goes and the e-mail works. I disconnected all the devices from the forti with the thought that one of them was interrupting the connection, but it was to no avail. Restarts do not help, everything returns to normal after an hour.
Thanks for any help and suggestions
Hey Piotr,
I would suggest to check on that same firewall:
1) What policy is this traffic going through? is there a "schedule" that would say, for whatever reason "that at 10am there is no schedule to allow the traffic"?
2) Check a known client IP against the logs (you can filter for the "srcip"). At that time - what policy do you hit? After that time, when all works. what policy do you then hit?
Best regards,
Markus
Hey Markus,
1. We have nothing created to influence it.
2. We checked the logs completely, nothing else is happening. There is no difference between 10 a.m. and 3 p.m.
I forgot to add that this problem is every day for a few days then for 3-4 weeks it is calm and it comes back here no rule it may last 3 days may last 2 weeks but there are about 3-4 weeks breaks that everything works.
We changed WAM because we were not sure that there was any conflict, but there is no sign of it.
Hey Piotr,
you should at least see some logs for the SMTP traffic. Provided the policy that the traffic flows through, has logging enabled. When this happens and you have no access to SMTP in some way, see how your client tries to access the SMTP server (i.e. Thunderbird tries to contact gmail, typically at port 25). You could make an extra policy for port 25+port587, depending on what your SMTP server listens on. Make this policy log. If traffic is going out and through the firewall but maybe is not returned, not responding, the mail server mail also be the culprit.
Another method of testing:
When this issue occurs, run openssl against that server. Download openssl for Windows or run it from a Linux box.
With gmail as the example:
openssl s_client -starttls smtp -connect smtp.gmail.com:25
CONNECTED(00000003)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = smtp.gmail.com
verify return:1
...and some more lines.
This is the expected output, so see if you do not get that output anymore.
See on the firewall whether at the time of pressing the openssl "button", there is a log of denied traffic. See with a packet capture whether your client is able to contact the server or not.
Simple packet capture on FortiGate CLI:
diag sniffer packet any 'host <yourIP> and port 25' 4 0 a
Shows you the physical ports the traffic reaches. After NATting you won't see stuff here, unless you remove the "host" statement.
Best regards,
Markus
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.