Problem
Antispam scans are bypassed, but antivirus scans are not.
Solution
If antivirus scans occur, but antispam scans do not, verify that white lists are not too permissive and that you have not whitelisted senders in the protected domains. White list entries cause the FortiMail unit to omit antispam scans.
Additionally, verify that either the Bypass scan on SMTP authentication option is disabled, or confirm that authenticated SMTP clients have not been compromised and are not a source of spam.
Problem
Recipient verification through SMTP fails.
Solution
If you have enabled the Recipient Address Verification option with a protected domain’s SMTP server, but recipient verification fails, possible causes include:
- The SMTP server is not available.
- The network connection is not reliable between the FortiMail unit and the SMTP server.
- The SMTP server does not support ESMTP. EHLO, as defined in ESMTP, is a part of the SMTP verification process. If the SMTP server does not support ESMTP, recipient verification will fail.
- The server is a Microsoft Exchange server and SMTP recipient verification is not enabled and configured.
When the SMTP server is unavailable for recipient verification, the FortiMail unit returns the 451 SMTP reply code. The email would remain in the sending queue of the sending MTA for the next retry.
Problem
SMTP clients receive the message 451 Try again later.
Solution
There are several situations in which the FortiMail unit could return the 451 Try again later SMTP reply code to an SMTP client. Below are some common causes.
- The greylist routine has encountered an unknown sender or the greylist entry has expired for the existing sender and recipient pair. This is an expected behavior, and, for legitimate email, will resolve itself when the SMTP client retries its delivery later during the greylist window.
- Recipient verification is enabled and the FortiMail unit is unable to connect to the recipient verification server. There should be some related entries in the antispam log, such as Verify <user@example.com> Failed, return TEMPFAIL. If this occurs, verify that the server is correctly configured to support recipient verification, and that connectivity with the recipient verification server has not been interrupted.
Problem
The FortiMail unit replies with a temporary failure SMTP reply code, and the event log shows Milter (fas_milter): timeout before data read.
Solution
The timeout is caused by the FortiMail unit not responding within 4 minutes.
Slow or unresponsive DNS server response for DNSBL and SURBL scans can cause the FortiMail unit’s antispam scans to be unable to complete before the timeout. When this occurs, the FortiMail unit will report a temporary failure. In most cases, the sending MTA will retry delivery later. If this problem is persistent, verify connectivity with your DNSBL and SURBL servers, and consider providing private DNSBL/SURBL servers on your local network.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!