Troubleshoot MTA issues
Problem
SMTP clients receive the message 550 5.7.1 Relay access denied.
Solution
This indicates rejection due to lack of relay permission.
- For incoming connections, relay will be allowed automatically unless explicitly rejected through the access control list (see “Configuring access control rules” on page 456).
- For outgoing connections, relay will be allowed only if explicitly granted by authentication (see “Controlling email based on IP addresses” on page 475) or by the access control list (see “Configuring access control rules” on page 456). If authentication is required, verify that the SMTP client is configured to authenticate.
If you receive a 5.7.1 error message that does not mention relay access, and sender reputation or endpoint reputation is enabled, verify that the SMTP client has not exceeded the reputation score threshold for rejection.
Problem
The FortiMail unit is bypassed.
Solution
FortiMail units can be physically bypassed in a complex network environment if the network is not carefully planned and deployed. Bypassing can occur if SMTP traffic is not correctly routed by intermediary NAT devices such as routers and firewalls.
If your FortiMail unit will be performing antispam scans on outgoing email, all outgoing email must be routed through the FortiMail unit. If your email users and protected servers are configured to relay outgoing mail through another MTA such as that of your ISP, the FortiMail unit will be bypassed for outgoing email.
Spammers can easily determine the lowest priority mail server (highest preference number in the DNS MX record) and deliver spam through that lower-priority MX in an attempt to avoid more effective spam defenses.
To ensure that spammers cannot bypass the FortiMail unit
- Configure routers and firewalls to route SMTP traffic to the FortiMail unit for scanning.
- If the FortiMail unit is operating in gateway mode, modify the DNS server for each protected domain to keep only one single MX record which refers to the FortiMail unit.
- Verify that all possible connections have a matching policy. If no policy matches, the connection will be allowed but will not be scanned. (To prevent this, you can add a policy to the bottom of the IP policy list that rejects all connections that have not matched any other policy.)
- Verify that you have selected an antispam profile in each policy, and have enabled antispam scans.
Both antispam and antivirus scans are bypassed.
Solution
If email is not physically bypassing the FortiMail unit, but is not undergoing both antispam and antivirus scans, verify that access control rules are not too permissive. Also verify that a policy exists to match those connections, and that you have selected antispam and antivirus profiles in the policy. Scans will not be performed if no policy exists to match the connection.