Technical Tip: SMTPS getting blocked when deep inspection is enabled

sgiannogloudis · ‎02-17-2021

Description
This article describes techniques on how to identify and troubleshoot blocked SMTPS traffic while traversing through a firewall policy while deep inspection is enabled.
In rare cases it is possible to notice that secure SMTP traffic cannot pass through FortiGate to the local email servers.

Typically, a policy will look like:

It is also possible to observe problem that could not be replicated either by:

1) Replacing deep inspection profile with certificate inspection.
2) Changing the firewall’s policy inspection mode from proxy based to flow.

Solution
As first step, validate if the SSL certificate used for proxy deep-inspection is corrupted.
To do so, issue the below commands:

# execute vpn certificate local verify Fortinet_CA_SSL
# execute vpn certificate local verify Fortinet_CA_Untrusted
# execute vpn certificate local verify Fortinet_SSL_ECDSA256
# execute vpn certificate local verify Fortinet_SSL_ECDSA384
# execute vpn certificate local verify Fortinet_SSL_ECDSA521
# execute vpn certificate local verify Fortinet_SSL_ED448
# execute vpn certificate local verify Fortinet_SSL_ED25519
# execute vpn certificate local verify Fortinet_SSL_RSA1024
# execute vpn certificate local verify Fortinet_SSL_RSA2048
# execute vpn certificate local verify Fortinet_SSL_RSA4096

From the above command outputs, observe:

In order to solve the issue, during a short maintenance window, perform the below actions:

After executing the commands, certificate & private key files will match each other and SMTPS traffic can traverse and scanned via FortiGate.