Testing The Installation

Troubleshooting tools

To locate network errors and other issues that may prevent email from passing to or through the FortiMail unit, FortiMail units feature several troubleshooting tools. You may also be able to perform additional tests from your management computer or the computers of SMTP clients and servers.

This section includes:

  • Ping and traceroute
  • Nslookup
  • Telnet connections to the SMTP port number
  • Log messages
  • Greylist and sender reputation displays
  • Mail queues and quarantines
  • Packet capture

Ping and traceroute

If your FortiMail unit cannot connect to other hosts, you may be able to use ICMP ping and traceroute to determine if the host is reachable or locate the node of your network at which connectivity fails, such as when static routes are incorrectly configured. You can do this from the FortiMail unit using CLI commands.

For example, you might use ICMP ping to determine that 172.16.1.10 is reachable (commands that you would type are highlighted in bold; responses from the FortiMail unit are not bolded):

FortiMail-400 # execute ping 172.16.1.10

PING 172.16.1.10 (172.16.1.10): 56 data bytes

64 bytes from 172.16.1.10: icmp_seq=0 ttl=64 time=2.4 ms

64 bytes from 172.16.1.10: icmp_seq=1 ttl=64 time=1.4 ms

64 bytes from 172.16.1.10: icmp_seq=2 ttl=64 time=1.4 ms

64 bytes from 172.16.1.10: icmp_seq=3 ttl=64 time=0.8 ms

64 bytes from 172.16.1.10: icmp_seq=4 ttl=64 time=1.4 ms

— 172.20.120.167 ping statistics —

5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 0.8/1.4/2.4 ms

or that 192.168.1.10 is not reachable:

FortiMail-400 # execute ping 192.168.1.10

PING 192.168.1.10 (192.168.1.10): 56 data bytes

Timeout …

Timeout …

Timeout …

Timeout …

Timeout …

— 192.168.1.10 ping statistics —

5 packets transmitted, 0 packets received, 100% packet loss

Both ping and traceroute require that network nodes respond to ICMP ping. If you have disabled responses to ICMP on your network, hosts may appear to be unreachable to ping and traceroute, even if connections using other protocols can succeed.

If the host is not reachable, you can use traceroute to determine the router hop or host at which the connection fails:

FortiMail-400 # execute traceroute 192.168.1.10

traceroute to 192.168.1.10 (192.168.1.10), 32 hops max, 72 byte packets

  • 168.1.2 2 ms 0 ms  1 ms
  • * * *

For more information on CLI commands, see the FortiMail CLI Reference.

Nslookup

It is critical that FortiMail has good access to DNS services to properly handle SMTP sessions and apply antispam scans, including FortiGuard Antispam. If DNS queries fail, they will be recorded in the event log.

Figure 62:Event log when DNS queries fail

If a DNS query fails or resolves incorrectly, you may want to manually query your DNS server to verify that the records are correctly configured. You can do this from the FortiMail unit using CLI commands.

For example, you might query for the mail gateway of the domain example.com (commands that you would type are highlighted in bold; responses from the FortiMail unit are not bolded):

FortiMail-400 # execute nslookup mx example.com example.com mail exchanger = 10 mail.example.com.

or query to resolve mail.example.com and service.fortiguard.net (the domain name of a FortiGuard Distribution Network server) into IP addresses:

FortiMail-400 # execute nslookup name mail.example.com

Name: mail.example.com

Address: 192.168.1.10

FortiMail-400 # execute nslookup name service.fortiguard.net

Name: service.fortiguard.net

Address: 212.95.252.120

Name: service.fortiguard.net

Address: 72.15.145.66

Name: service.fortiguard.net

Address: 69.90.198.55

For more information on CLI commands, see the FortiMail CLI Reference.

Like verifying DNS connectivity and configuration from the FortiMail unit, you may also be able to verify DNS connectivity and configuration from protected and external mail servers using similar commands. This can be necessary if the devices are configured to use different DNS servers. For details, see the documentation for those mail servers.

Telnet connections to the SMTP port number

Instead of using an SMTP client to verify SMTP connections, you can manually establish SMTP connections by using a Telnet client. Especially if your SMTP client or SMTP server is unable to establish a connection, manually attempting the connection may provide you with SMTP error codes or other insight into why the connection is failing.

Table 11:Some common SMTP error codes

SMTP error code number Description
500 Syntax error, command unrecognized
501 Syntax error in parameters or arguments
502 Command not implemented (such as for ESMTP and other

SMTP protocol extensions that are not enabled/installed on the SMTP server)

503 Bad sequence of commands

If extended SMTP error codes are installed and enabled on the target SMTP server, a manual Telnet connection may enable you to view additional error descriptions. For example, the enhanced error code 4.3.2 Please Try Again Later may notify you that a temporary condition exists preventing delivery, such as greylisting or service unavailability, and that the SMTP client should try delivery again later.

How you should establish the connection depends on the origin and destination of the SMTP connection that you want to test, either:

  • From the FortiMail unit to an SMTP server
  • To or through the FortiMail unit

From the FortiMail unit to an SMTP server

If you are not sure if the FortiMail unit can use SMTP to reach an SMTP server, you might use the execute telnettest <fqdn_str>:<port_int> CLI command.

For example, to test SMTP connectivity with mail.example.com on the standard SMTP port number, 25 (commands that you would type are highlighted in bold; responses from the FortiMail unit are not bolded):

FortiMail-400 # execute telnettest mail.example.com:25 Connecting to remote host succeeded.

To or through the FortiMail unit

If you are not sure if a MUA can use SMTP to reach a FortiMail unit that is operating in gateway mode or server mode, or not sure which SMTP commands the FortiMail unit was configured to accept, from the email user’s computer or an external SMTP server, you might open a command prompt and use the command line Telnet client.

For example, to send a test email message (commands that you would type are highlighted in bold; responses from the FortiMail unit are not bolded):

$ telnet fortimail.example.com 25 Trying fortimail.example.com… Connected to fortimail.example.com. Escape character is ‘^]’.

220 fortimail.example.com ESMTP Smtpd; Mon, 6 Oct 2008 14:47:32 -0400

EHLO mail.example.com

250-fortimail.example.com Hello [172.16.1.10], pleased to meet you

250-ENHANCEDSTATUSCODES

250-PIPELINING

250-8BITMIME

250-SIZE 10485760

250-DSN

250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5

250-DELIVERBY

250 HELP

MAIL FROM: user1@internal.example.com

250 2.1.0 user1@example.com… Sender ok

RCPT TO: user2@external.example.net

250 2.1.5 user2@example.com… Recipient ok

DATA

354 Enter mail, end with “.” on a line by itself

Subject: TEST

This is a test email message.

.

250 2.0.0 m96IlWkF001390 Message accepted for delivery

QUIT

221 2.0.0 fortimail.example.com closing connection Connection closed by foreign host. $ where:

  • example.com is the fully qualified domain name (FQDN) of your FortiMail unit
  • the FortiMail unit is listening for SMTP connections on the default SMTP port number, 25
  • example.com is the fully qualified domain name (FQDN) of a protected email server from which you are connecting, whose domain name resolves to the IP address 172.16.1.10
  • user1@internal.example.com is a email address of an sender that is internal to your protected domain, internal.example.com
  • user2@external.example.net is a email address of an recipient that is external to your protected domain

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiMail on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.