Troubleshooting

Email users are spammed by DSN for email they did not actually send.

Solution

Spammers may sometimes use the delivery status notification (DSN) mechanism to bypass antispam measures. In this attack, sometimes called “backscatter”, the spammer spoofs the email address of a legitimate sender and intentionally sends spam to an undeliverable recipient, expecting that the recipient’s email server will send a DSN back to the sender to notify him/her of the delivery failure. Because this attack utilizes innocent email servers and a standard notification mechanism, many antispam mechanisms may be unable to detect the difference between legitimate and spoofed DSN.

To detect backscatter

  1. Enable bounce address tagging and configure an active key (see “Configuring bounce verification and tagging” on page 634).
  2. Next, disable both the Bypass bounce verification option (see “Configuring protected domains” on page 380) and the Bypass bounce verification check option (see “Configuring session profiles” on page 482).
  3. In addition, verify that all outgoing and incoming email passes through the FortiMail unit. The FortiMail unit cannot tag email, or recognize legitimate DSN for previously sent email, if all email does not pass through it. For details, see “Configuring bounce verification and tagging” on page 634.

Problem

Email users cannot release and delete quarantined messages by email.

Solution

Two common reasons are:

  • The domain name portion of the recipient email address (for example, fortimail.example.com in release-ctrl@fortimail.example.com) could not be resolved by the DNS server into the FortiMail unit’s IP address.
  • The sender’s email address in the release message was not the same as the intended recipient of the email that was quarantined. If you have configured your mail client to handle multiple email accounts, verify that the release/delete message is being sent by the email address corresponding to that per-recipient quarantine. For example, if an email for user@example.com is quarantined, to release that email, you must send a release message from user@example.com.

Problem

Attachments less than the 10 MB configured limit are not deliverable

Solution

The message limit is a total maximum for the entire transmitted email: the message body, message headers, all attachments, and encoding, which in some cases can expand the size of the email. For example, depending on the encoding and the content of the email, an email with an 8 MB attachment could easily exceed the transmitted message size limit of 10 MB.

Therefore, attachments should be significantly smaller than the configured limit.

The exported email archive is an empty file.

Solution

Make sure you select the check boxes of archived email (see “Configuring email archiving accounts” on page 656) that you want to export. Only email whose Status column contains a check mark will be exported.

Problem

Event log messages show DNSBL query errors.

Solution

Log messages such as:

RblServer::check 20.4.90.202.zen.spamhaus.org error=2 : ‘Host name lookup failure’

could mean that the query is being refused because it exceeds pre-defined service limitations by the DNSBL service provider. If you have very high volumes of email traffic, consider providing a DNSBL server on your local network by synchronizing the DNSBL database to it. For details, consult your service provider.

Problem

Antispam quarantine reports are delayed.

Solution

In most cases, this is caused by an excessive number of quarantine accounts.

When an email is accepted for a recipient and identified as spam, a quarantine account is automatically created in FortiMail.

Check that these quarantine accounts are valid, as netbots and spam harvest scans can cause the creation of a large number of false accounts.

There are options to manage quarantine accounts in FortiMail. These options are available under Mail Settings > Domains (not in server mode).

  • Enable Recipient Address Verification to stop invalid account creation with SMTP or LDAP authentication (Note that LDAP cache should be enabled).
  • Remove invalid accounts by enabling Automatic Removal of Invalid Quarantine Accounts.

Recipient validation is a clean solution with a performance cost on SMTP or LDAP services. Its another disadvantage is that it also results in informing the outside whether the accounts are valid or not.

The automatic clearance of accounts is started once per day at 4:00 AM by default, but can be modified by the following CLI command:

config antispam settings set system option backend_verify <hh:mm:ss>

end

where hh is the hour according to a 24-hour clock, mm is the minute, and ss is the second.

Troubleshoot HA issues

Problem

Active-passive HA cluster does not switch to the backup unit after a failure.

Solution

If an individual service has failed that does not disrupt the HA heartbeat, an active-passive HA cluster may not fail over. For example, it is possible that one or more services (such as SMTP, IMAP, POP3, web access, or a hard drive or network interface) could fail on the primary unit (master) without affecting the HA heartbeat.

To cause failover when an individual service fails, configure service monitoring (see “Configuring service-based failover” on page 328) on both the primary unit and backup unit.

Problem

Mail queues do not appear on the HA backup unit.

Solution

In order to display queue content in the backup unit, mail data must be synchronized from the primary unit. If the Backup MTA queue directories option is disabled, mail queues will not be synchronized. You can enable MTA spool synchronization to view the mail queues from either the backup unit or the primary unit.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.