FAQ for FortiMail Administrators - FortiMail 2.8 MR1 or greater

• FortiMail 2.8 MR1 or greater

Why does user verification through SMTP fail?

Possible causes for failure of the user verification function include:

• The SMTP server is not available.
• The SMTP server does not support ESMTP. EHLO, as defined in ESMTP, is a part of the SMTP verification process. If the SMTP server does not support ESMTP, the verification will fail.

What does the log entry 'Milter (fas_milter): timeout before data read' mean?

The timeout is caused by the FortiMail email filter not responding within four minutes.

Slow or unresponsive DNS server response for DNSBL and SURBL scans can cause this problem. When this condition occurs, the FortiMail will report a temporarily fail, and the sending MTA will attempt a resend later.

What is the difference between temp fail and reject?

A temp fail will return the 4xx reply code. The command was not accepted, and the requested action did not occur. The error condition is temporary and the action may be requested again.

A reject will return the 5xx reply code. The sending MTA will remove the message from the sending queue and send a DSN email indicating delivery failure.

What is the cause of the message, '451 try again later'?

There are two situations in which the FortiMail unit could return the '451 try again later' message.

• The greylist routine has encountered an unknown sender. This is expected behavior.
• Recipient verification is enabled and FortiMail unit is unable to connect to the verification server. There should be some related entries in the spam log. For example, 'Verify <user@example.com> Failed, return TEMPFAIL'.

How do I troubleshoot a FortiMail unit's low spam detection rate?

• Confirm that no SMTP traffic is bypassing the FortiMail unit due to incorrect routing policy. Configure the routing or firewall device to direct all the SMTP traffic to be scanned by the FortiMail unit. Modify the DNS server to keep a single MX record entry pointing to the FortiMail unit for all protected domains.
• Use white lists with caution. For example, a white list entry *.edu would allow all email from the edu top level domain to bypass the FortiMail unit's anti-spam scanning.
• Ensure all domains are protected by the FortiMail unit with matching policies and proper profiles.
• Take the advantage of the FortiMail unit's adaptive and learning capabilities with features such as greylist, sender reputation, and Bayesian training.

Caution: Performance may suffer during extensive scanning activities.

Can the local domain name be different from the protected domain?

The local domain name can be the same as the protected domain for firmware 3.0. Previously, the local domain name had to be different than the protected domain. Note that the local DNS server must be able to resolve the local domain name for proper email delivery to the FortiMail unit.

Why won't the HA cluster switch over after a failure?

Depending on the type of failure, the HA cluster may not switch over (or failover) as expected. By default, FortiMail HA only monitors the HA heartbeat. It is possible that one or more services (such as SMTP, POP3, or web access) could fail on the primary unit (master) without affecting the HA heartbeat.

On the backup unit (slave) you can can go to System > HA > Services and configure HA services monitoring so that the backup unit monitors SMTP, POP3, and Web services on the primary unit. The backup unit causes a failover if one of these services fails on the primary unit.

On the primary unit you can go to System > HA > Services and configure the primary unit to monitor its own active network interfaces and hard disk. The primary unit can cause a failover to occur if a primary unit network interface or hard disk fails.

Can you offer some sample values for the HA service monitoring configuration?

Remote services: Every three minutes, wait 15 seconds for service check. Take over from Master after three failures.

Local services: Check every 30 seconds for interfaces and 60 seconds for hard disk. The slave takes over after three failures.

Why won't releasing and deleting quarantined messages by email work?

There are two possible reasons:

• The domain part of the email (for example, fortimail.example.com) must be properly resolved through DNS server to the FortiMail unit's IP address.
• The sender address in the release message must be the same address as the receiver of the spam report. For example, if user@example.com receives a spam report and wants to release/delete a quarantined mail, the sender address of the release message must be user@example.com. If you have multiple email accounts on an email client, the default sender address may differ from the one you need to use.

Why won't Bayesian training by user work?

• The domain part of the message (for example, fortimail.example.com) must properly resolve the FortiMail unit's IP address.
• The Bayesian scan option for user (user personal database) in the active anti-spam profile must be enabled.
• The 'Accept training messages from users' feature in the Bayesian portion of the anti-spam profile must be enabled.

Why aren't large attachments allowed through the FortiMail unit?

The FortiMail unit limits email to a default maximum size of 10 MB. You can modify this value using the 'Cap message size at' setting in the SMTP Limits section of a session profile.

How long will a deferred message remain in the deferred queue?

The FortiMail unit will try resending deferred mail every 27 minutes. If a message is still undeliverable after four hours, a warning will be sent. After five days, the FortiMail unit discards the undeliverable message and sends a DSN.

Can the FortiMail unit create a browser cookie to override the need to enter the user ID/password for users to view their quarantine list?

No, this is not feasible due to security implications.

Within the spam report, can the URL that is generated by the FortiMail unit be modified?

No, this feature is not available. The link is hard coded to the FortiMail unit. Be sure that you have a DNS resolvable name to reach the FortiMail unit in within your LAN.

What type of database is used for dictionary databases?

The format of the dictionary databases is the Berkeley-Based DB.

What type of database is used for Bayesian databases?

The format of the Bayesian databases is MySQL DB.

What could cause sender reputation to block legitimate MTAs?

When sender reputation is enabled in a session profile, it relies on the thresholds set for 'Temporary fail client at' and 'Reject client at' to determine if it should block a sender or not. If either of these two values have a low threshold, the FortiMail unit will refuse further connections from the MTA. Modify the value of these thresholds by increasing them.

How does the FortiMail unit choose between the use of the group Bayesian database and the User Bayesian database?

Until the users have build up a mature database (a mature database is one that has 200 non-spam messages and 100 spam messages) with their own message submissions, the group database is referenced when the user database does not contain the required information. Once the user database is mature, the group database is no longer used.

How long does the sender reputation system block an MTA?

A client will be blocked for 12 hours, after which their record in the MySQL database will be removed.

In transparent mode, why should I specify relay permission in Mail Settings > Access?

Access entries with the relay permission indicate the FortiMail unit is permitted to relay mail to or from a specified IP addresses, domain, or email address. Without explicit relay permission, the FortiMail unit will not relay any email unless it is to or from domains defined in Mail Settings > Domains.

I am trying to use a Microsoft Exchange server with my FortiMail unit. When the User Verification is enabled with my domain, all emails are being rejected. Why?

The Exchange server cannot use the simple SMTP service to do user verification with its default settings because the Microsoft Exchange Server cannot identify if the user is valid. With Exchange Server as MTA, configure the FortiMail unit to use LDAP to do user verification. Alternatively, configure the SMTP service in Exchange to allow it to work with the FortiMail unit's user verification function.

To configure the SMTP service

1. Open the Exchange system manager and go to Global settings > Message Delivery > properties.
2. Select Recipient Filtering.
3. Select Filter recipients who are not in the Directory.
4. Go to Administrative Groups > First Administrative Group > Servers > [your server]> SMTP > the default SMTP virtual server > properties.
5. Select Advanced, then Edit.
6. Select Apply Recipient Filter, then OK.

Telnet to port 25 of your SMTP server and test the configuration.

I have trained my Bayesian database with an MBOX file but the FortiMail unit does not report any messages learned as spam or non-spam. Why?

If the MBOX file used to train the Bayesian database is not RFC compliant, the FortiMail unit will not be able to read the file correctly. If this happens, use a different Mail User Agent (MUA) to export your email folders and try again. MBOX files created by the Thunderbird email client are not RFC compliant.

Note that that training of Bayesian databases with MBOX files is very resource intensive. Plan this type of training during low traffic periods, for example, on weekends.

How can I prevent Exchange 2003 from relaying mail? Or is relaying prevented by default?

The default configuration of Exchange Server 2003 and Exchange 2000 Server will relay mail under certain circumstances. Each Exchange 2000/2003 server has a SMTP Virtual Server that you can configure in the Exchange System Manager. Configure the relay restrictions on the Access property tab of the Default SMTP Virtual Server. The default is to not allow relaying, however the 'Allow all computers which successfully authenticate to relay, regardless of the list above' checkbox is enabled by default. This allows POP3 and IMAP4 clients with valid computer accounts in the domain/forest to send mail to your Exchange servers. This also reduces administrative overhead when an email based application server is added to the domain/forest.

If you do not have IMAP4 or POP3 clients, or the additional overhead of manually adding entries for email-based applications servers is not an issue, disable this option in each of your default SMTP virtual servers (one per Exchange server).

I currently have the FortiMail unit running and have experienced multiple warnings regarding a degraded array event on multiple HD dev. (ref./dev/md2 and /dev/md3). Why?

This is expected behavior. The FortiMail unit detects file system modification upon a warm or cold restart and this behavior is reflected by this message during the boot sequence. This only happens when a configuration changes where made to the unit prior to the reboot.

I get the error message 'Login incorrect' when attempting to log in to the FortiMail unit's webmail interface. Why is this happening?

The administrator may not have configured the proper authentication method for the FortiMail unit. Check these five items:

• Authentication must be enabled and matched on the FortiMail unit (gateway or transparent modes)
• The auth profile option Server Required Domain may need to be enabled
• The Allow Web Mail for SPAM access option needs to be enabled under the Authentication and Access of a policy
• The authentication server must have authentication enabled
• Try to log in with your full email address. For example, use user1@example.com instead of user1 as the login name.

Can I move a Bayesian filter database from one user to another? If I have trained a large Bayesian database for bob@xyz.com, can I copy that database to george@xyz.com or michael@abc.com?

Yes. Since the Bayesian database backup file from the FortiMail unit contains no name or domain, this is possible. You must first backup the user database from the original user and restore it to any other user.

I am receiving the message 'Invalid Length Value' when logging in to the admin console of the FortiMail unit. What is the cause of this message?

This message will appear when the communication with the authenticator daemon has been abruptly dropped. This could be sign of communication problems in your network. Verify your networking between your management computer than the FortiMail unit. Proceed with packet capture if necessary.

How do I configure an LDAP profile to allow users to check the quarantined email for Exchange public folders?

The FortiMail unit can quarantine spam messages sent to Microsoft Exchange public folders. To allow users to access their quarantined email, enable the 'Allow unauthenticated ldap bind' option in the LDAP profile and enable the 'Authentication And Access' options to allow your users whatever means of quarantine access you prefer. Insert the following string in the 'LDAP Query to Find User' field of the LDAP profile:

(&(|(objectClass=User)(objectClass=Group)
(objectClass=publicFolder)) (|(proxyAddresses=smtp:$m)(mail=$m)))

This is a basic LDAP query specifying that the type of object to look for is a user, group, or public folder. By default, the FortiMail unit is only concerned with users.