FortiMail Troubleshooting: SMTP Failure

Posted on October 13, 2016 by Mike Mielke

Share this post:

Facebooktwittergoogle_plusredditpinterestlinkedin

The Troubleshooting recipes are here to assist you in diagnosing and remedying any problems
you experience when using your FortiMail unit.

This recipe guides you through the process of troubleshooting SMTP problems, such as recipient
verification failure and 451 error messages.

Problem #1: Recipient Verification Failure

Recipient verification through SMTP fails.

The Solution

If recipient verification fails despite enabling Recipient Address Verification there are some
possible causes:

The SMTP server may not be available

The network connection between the FortiMail and the SMTP server is not reliable.

The SMTP server does not support ESMTP.EHLO, as defined in ESMTP, is a part of the SMTP
verification process. If the SMTP server does not support ESMTP, the recipient verification will
fail.

The server is a Microsoft Exchange server and SMTP recipient verification is not enabled and
configured.
When the SMTP server is unavailable for recipient verification, the FortiMail unit returns the 451
SMTP reply code. The email would remain in the sending queue of the sending MTA for the next
retry.

Problem #2: 451 Error Message

SMTP clients receive the message 451 Try again later.

The Solution

The two primary reasons you may be experiencing a 451 error message is:

The greylist routine encountered an unknown sender or the greylist entry expired for the existing
sender and recipient pair.This behavior is normal and will typically resolve itself when the SMTP
client retries its delivery later during the greylist window.

Recipient verification is enabled and the FortiMail unit is unable to connect to the recipient

verification server. There should be some related entries in the antispam log, such as Verify
<user@example.com> Failed, return TEMPFAIL. If this occurs, verify that the server is correctly
configured to support recipient verification and that connectivity with the recipient verification
server has not been interrupted.

Problem #3: Temporary Failure SMTP reply Code

The FortiMail unit replies with a temporary failure SMTP reply code and the even log shows
Milter (fas_milter): timeout before data read

The Solution

The timeout is caused by the FortiMail unit not responding within 4 minutes.
Slow or unresponsive DNS server response for DNSBL and SURBL scans can cause the FortiMail
units antispam scans to be unable to complete before the timeout. When this occurs, the
FortiMail unit will report a temporary failure. In most cases, the sending MTA will retry delivery
later. If this problem is persistent, verify connectivity with your DNSBL and SURBL servers, and
consider providing private DNSBL/SURBL servers on your local network.