Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kamarale
New Contributor II

Created on ‎03-28-2025 09:19 AM

SSL inbound deep inspection for mail not working

Hello,

I have a SSL indound inspection that is not working for email traffic. The action is "Bypassed"

 

"Message SSL connection is bypassed" says on the SSL logs....

does anyone know what cold be the case?

On SSL profile we are inspecting ALL ports.

 

Thank you.

 

Labels:
261
0 Kudos
9 REPLIES 9
AEK
SuperUser
SuperUser

Created on ‎03-28-2025 10:50 AM

Hi

Is the issue for SMTPS or SMTP with STARTTLS?

Are you using proxy based inspection mode?

Can you share a screenshot of the rule?

AEK
AEK
242
kamarale
New Contributor II
In response to AEK

Created on ‎04-01-2025 12:58 PM

Hello AEK.

It is SMTP with STARTTLS.

The policy is in proxy-based mode. It is a classic policy only allowing port 25 to the destination server.

Thank you!

Regards

191
AEK
SuperUser
SuperUser
In response to kamarale

Created on ‎04-01-2025 02:14 PM

Hi Kamarale

Please share the following screenshots:

  • The ssl inspection profile
  • Double-click on the related SSL log, the reason for bypass should be shown in the detailed logs
AEK
AEK
173
kamarale
New Contributor II
In response to AEK

Created on ‎04-02-2025 07:17 AM

Hello AEK.

The detailed logs does not say any Reason. I search for reason and does not appear.

Screenshots:

SSL inbound.jpg

 

And logs:

log-detail-1.jpglog-detail-2.jpg

 

Thank you!

144
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎04-02-2025 07:32 AM

Actually I have some doubt.

As connection to port 25 starts by unencrypted communication then switches to TLS (via STARTTLS), it is possible that the message "SSL connection is bypassed" is generated at the first step (clear), not following STARTTLS.

To make things clear, I think more tests are required, e.g.: you may send mail containing a malware test file (eicar) through a STARTTLS communication and see the behavior of your FGT's antispam. If it can catch it then your deep inspection is working properly once STARTTLS is initiated.

AEK
AEK
141
0 Kudos
kamarale
New Contributor II
In response to AEK

Created on ‎04-02-2025 10:14 AM

Hello,

We have tried that with openssl sending eicar and it passes. FGT does not see/block it....

Thank you.

121
0 Kudos
AEK
SuperUser
SuperUser
In response to kamarale

Created on ‎04-02-2025 10:53 AM

Hi

Please have a look at this example and see if you didn't forget anything in your config.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Inbound-email-to-mail-server-protected-by/...

AEK
AEK
111
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎04-03-2025 09:31 AM

Hi Kamarale

I made a test and it works as expected.

The AV has scanned the attached file (my AV policy is just to reject encrypted archives, for test purpose).

FG's AV logs below:

avlog.png

 

And the session from gmail was STARTTLS (confirmed from in gmail headers, as I have opened port 25 only).

Gmail-TLS.png

 

Can you test with "Fortinet_SSL" cert in your inspection profile? (just like I did in my test)

AEK
AEK
92
0 Kudos
kamarale
New Contributor II
In response to AEK

Created on ‎04-10-2025 10:39 AM

Hello AEK,

thank you for your time.

Now is working, the action is "inspect" and not "bypassed" in the SSL logs.

In the SSL profile I disabled "Inspect all ports" and that was it basically.....

Dont know why but this fixed it.

Regards

20
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.