Troubleshooting tools
To locate network errors and other issues that may prevent email from passing to or through the FortiMail unit, FortiMail units feature several troubleshooting tools. You may also be able to perform additional tests from your management computer or the computers of SMTP clients and servers.
This section includes:
- Ping and traceroute
- Nslookup
- Telnet connections to the SMTP port number
- Log messages
- Greylist and sender reputation displays
- Mail queues and quarantines
- Packet capture
Ping and traceroute
If your FortiMail unit cannot connect to other hosts, you may be able to use ICMP ping and traceroute to determine if the host is reachable or locate the node of your network at which connectivity fails, such as when static routes are incorrectly configured. You can do this from the FortiMail unit using CLI commands.
For example, you might use ICMP ping to determine that 172.16.1.10 is reachable (commands that you would type are highlighted in bold; responses from the FortiMail unit are not bolded):
FortiMail-400 # execute ping 172.16.1.10
PING 172.16.1.10 (172.16.1.10): 56 data bytes
64 bytes from 172.16.1.10: icmp_seq=0 ttl=64 time=2.4 ms
64 bytes from 172.16.1.10: icmp_seq=1 ttl=64 time=1.4 ms
64 bytes from 172.16.1.10: icmp_seq=2 ttl=64 time=1.4 ms
64 bytes from 172.16.1.10: icmp_seq=3 ttl=64 time=0.8 ms
64 bytes from 172.16.1.10: icmp_seq=4 ttl=64 time=1.4 ms
— 172.20.120.167 ping statistics —
5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 0.8/1.4/2.4 ms
or that 192.168.1.10 is not reachable:
FortiMail-400 # execute ping 192.168.1.10
PING 192.168.1.10 (192.168.1.10): 56 data bytes
Timeout …
Timeout …
Timeout …
Timeout …
Timeout …
— 192.168.1.10 ping statistics —
5 packets transmitted, 0 packets received, 100% packet loss
Both ping and traceroute require that network nodes respond to ICMP ping. If you have disabled responses to ICMP on your network, hosts may appear to be unreachable to ping and traceroute, even if connections using other protocols can succeed.
If the host is not reachable, you can use traceroute to determine the router hop or host at which the connection fails:
FortiMail-400 # execute traceroute 192.168.1.10
traceroute to 192.168.1.10 (192.168.1.10), 32 hops max, 72 byte packets
- 168.1.2 2 ms 0 ms 1 ms
- * * *
For more information on CLI commands, see the FortiMail CLI Reference.
Nslookup
It is critical that FortiMail has good access to DNS services to properly handle SMTP sessions and apply antispam scans, including FortiGuard Antispam. If DNS queries fail, they will be recorded in the event log.
Figure 62:Event log when DNS queries fail
If a DNS query fails or resolves incorrectly, you may want to manually query your DNS server to verify that the records are correctly configured. You can do this from the FortiMail unit using CLI commands.
For example, you might query for the mail gateway of the domain example.com (commands that you would type are highlighted in bold; responses from the FortiMail unit are not bolded):
FortiMail-400 # execute nslookup mx example.com example.com mail exchanger = 10 mail.example.com.
or query to resolve mail.example.com and service.fortiguard.net (the domain name of a FortiGuard Distribution Network server) into IP addresses:
FortiMail-400 # execute nslookup name mail.example.com
Name: mail.example.com
Address: 192.168.1.10
FortiMail-400 # execute nslookup name service.fortiguard.net
Name: service.fortiguard.net
Address: 212.95.252.120
Name: service.fortiguard.net
Address: 72.15.145.66
Name: service.fortiguard.net
Address: 69.90.198.55
For more information on CLI commands, see the FortiMail CLI Reference.
Like verifying DNS connectivity and configuration from the FortiMail unit, you may also be able to verify DNS connectivity and configuration from protected and external mail servers using similar commands. This can be necessary if the devices are configured to use different DNS servers. For details, see the documentation for those mail servers.
Telnet connections to the SMTP port number
Instead of using an SMTP client to verify SMTP connections, you can manually establish SMTP connections by using a Telnet client. Especially if your SMTP client or SMTP server is unable to establish a connection, manually attempting the connection may provide you with SMTP error codes or other insight into why the connection is failing.
Table 11:Some common SMTP error codes
SMTP error code number | Description |
500 | Syntax error, command unrecognized |
501 | Syntax error in parameters or arguments |
502 | Command not implemented (such as for ESMTP and other
SMTP protocol extensions that are not enabled/installed on the SMTP server) |
503 | Bad sequence of commands |
If extended SMTP error codes are installed and enabled on the target SMTP server, a manual Telnet connection may enable you to view additional error descriptions. For example, the enhanced error code 4.3.2 Please Try Again Later may notify you that a temporary condition exists preventing delivery, such as greylisting or service unavailability, and that the SMTP client should try delivery again later.
How you should establish the connection depends on the origin and destination of the SMTP connection that you want to test, either:
- From the FortiMail unit to an SMTP server
- To or through the FortiMail unit
From the FortiMail unit to an SMTP server
If you are not sure if the FortiMail unit can use SMTP to reach an SMTP server, you might use the execute telnettest <fqdn_str>:<port_int> CLI command.
For example, to test SMTP connectivity with mail.example.com on the standard SMTP port number, 25 (commands that you would type are highlighted in bold; responses from the FortiMail unit are not bolded):
FortiMail-400 # execute telnettest mail.example.com:25 Connecting to remote host succeeded.
To or through the FortiMail unit
If you are not sure if a MUA can use SMTP to reach a FortiMail unit that is operating in gateway mode or server mode, or not sure which SMTP commands the FortiMail unit was configured to accept, from the email user’s computer or an external SMTP server, you might open a command prompt and use the command line Telnet client.
For example, to send a test email message (commands that you would type are highlighted in bold; responses from the FortiMail unit are not bolded):
$ telnet fortimail.example.com 25 Trying fortimail.example.com… Connected to fortimail.example.com. Escape character is ‘^]’.
220 fortimail.example.com ESMTP Smtpd; Mon, 6 Oct 2008 14:47:32 -0400
EHLO mail.example.com
250-fortimail.example.com Hello [172.16.1.10], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 10485760
250-DSN
250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250 HELP
MAIL FROM: user1@internal.example.com
250 2.1.0 user1@example.com… Sender ok
RCPT TO: user2@external.example.net
250 2.1.5 user2@example.com… Recipient ok
DATA
354 Enter mail, end with “.” on a line by itself
Subject: TEST
This is a test email message.
.
250 2.0.0 m96IlWkF001390 Message accepted for delivery
QUIT
221 2.0.0 fortimail.example.com closing connection Connection closed by foreign host. $ where:
- example.com is the fully qualified domain name (FQDN) of your FortiMail unit
- the FortiMail unit is listening for SMTP connections on the default SMTP port number, 25
- example.com is the fully qualified domain name (FQDN) of a protected email server from which you are connecting, whose domain name resolves to the IP address 172.16.1.10
- user1@internal.example.com is a email address of an sender that is internal to your protected domain, internal.example.com
- user2@external.example.net is a email address of an recipient that is external to your protected domain