[SOLVED in 8536] - BLOCKING PROBLEM AFTER 8524: no incoming mails from Fortimail gateway. Forced to downgrade to 8517.

Problem reported by Gabriele Maoret - SERSIS - 5/5/2023 at 6:46 AM

Resolved

As the title says we had a BLOCKING PROBLEM AFTER UPDATE TO 8524 (from 8517): we don't receive any more mails (not even in webmail) from our antispam gateway (we use Fortimail).

We were forced to downgrade to 8517.

After the downgrade to 8517 the mails started arriving again.

My advice is: DO NOT UPDATE TO VERSION 8524!!!!

Gabriele Maoret - Head of SysAdmins at SERSIS

Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)

31 Replies

Reply to Thread

Brian Bjerring-Jensen Replied

5/5/2023 at 7:02 AM

Thanks Gabriele. I will hold the update then.

Gabriele Maoret - SERSIS Replied

5/5/2023 at 7:48 AM

FURTHER INFORMATION!

As I say above, we currently use an ANTISPAM gateway in front of the SmarterMail server: specifically we use FORTIMAIL (by Fortinet).

One of the tests FORTIMAIL does before forwarding the mail is to do an SMTP test to see if the recipient exists on the destination server.

At the moment I don't know the precise technical details of HOW this test is done (if anything I will investigate).

The problem seems to be generated by the fact that after upgrading to SM 8524 this test ALWAYS FAILS!

After rollback SM 8517 everything works fine again...

Having no further details, the only thing I can do at the moment is put below a detail of the LOG I see on FORTIMAIL:

Gabriele Maoret - Head of SysAdmins at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)

Alessandro Pereira Replied

5/5/2023 at 7:56 AM

HI Gabriele Maoret,

Thanks a lot for the feedback.

Brian Bjerring-Jensen Replied

5/5/2023 at 8:48 AM

What happens if you remove the fortinet device??

Gabriele Maoret - SERSIS Replied

5/5/2023 at 11:55 AM

It seems to be an issue with the antispam gateway.

But we use it for more than 80 customers, we can't remove it.

With version SM 8517 and earlier Fortimail has never given problems (we've been using it now for at least 4 years, if not more ..), so I think it's SmarterMail that changed something creating the problem...

Fortimail hasn't been modified for months, and the fact that going back to the SM8517 everything works again confirms that the problem is the new version of SM...

Gabriele Maoret - SERSIS Replied

5/5/2023 at 12:12 PM

I've updated both the title and the first post to point out that we use Fortimail as an antispam Gateway in front of SmarterMail.

Unfortunately I don't have the possibility to say if this same problem also occurs in other cases, but in any case for us this is a blocking problem and I think SmarterMail is to blame, not Fortimail.

Seph Parshall Replied

5/5/2023 at 12:18 PM

@Gabriele Did this situation create an IDS block of the Fortimail server IP?

Gabriele Maoret - SERSIS Replied

5/5/2023 at 12:25 PM

No, it's clearly an issue with SMTP protocol, not an IDS rule block.

No IDS rule was triggered

Douglas Foster Replied

5/5/2023 at 12:26 PM

It is often labelled as Call-out Verification. Many products do it. A session is started using a generic sender account. I wonder if DMARC FAIL is happening on the generic account.

Gabriele Maoret - SERSIS Replied

5/5/2023 at 12:28 PM

Hi Douglas!

Maybe you're right...

I've never had this problem before, and up until the 8517 everything always worked.

It shows up only if I update to 8524.

echoDreamz Replied

5/5/2023 at 12:37 PM

You review your SMTP logs for anything that could be causing this?

Douglas Foster Replied

5/5/2023 at 12:42 PM

Check current logs to see the Mail from account used for the call-out. If it is something like postmaster@fortinet.net, check to see if that domain has an SPF or DMARC policy. Then check if your SM server is configured to block on FAIL for either one.

Gabriele Maoret - SERSIS Replied

5/5/2023 at 12:42 PM

Hi Echo!

I'll do that in the next days... I'm out of office drinking a good beer now (it's near 10 PM here...)

Brian Bjerring-Jensen Replied

5/5/2023 at 1:10 PM

What about the fortinet IP going into some of the blacklists??

And enjoy a lot of beer Gabriele!

Ricardo Ranieri Replied

5/5/2023 at 1:17 PM

Hi,

Here we use Antispamcloud and receive "501 Sender address is invalid". When I try to reinstall the previous version it says that it is not possible, how did you go back to 8517?

Christopher Erk Replied

5/5/2023 at 1:56 PM

Hi,

Here we use Antispamcloud and receive "501 Sender address is invalid". When I try to reinstall the previous version it says that it is not possible, how did you go back to 8517?

Are you saying you running a mail server without backups or the possibility to do a full system restore? Uh oh.

Reto Replied

5/5/2023 at 2:55 PM

@Ricardo, did you first uninstall the 8524 and then try to install 8517?

Reto Replied

5/5/2023 at 2:58 PM

@Christopher That doesn't mean he has no backup, depending on the amount of accounts and data you have the restore or copy takes a long time and any other solution would be better. Beside the data (emails) that might get lost since the upgrade.

Ricardo Ranieri Replied

5/5/2023 at 3:37 PM

Hi,

this server is very large and doing a restore is not an option, unfortunately we will have to wait for an update from Smartertools about the problem.

Ricardo Ranieri Replied

5/5/2023 at 4:41 PM

The domain it's ok.

Antispam gateway service checks if the account exists before submitting.

[2023.05.05] 13:34:58.651 [46.165.223.16][29117370] cmd: MAIL FROM:<>

[2023.05.05] 13:34:58.654 [46.165.223.16][29117370] rsp: 501 Sender address is invalid.

this new version doesn't accept <> and I don't know how to release it.

Gabriele Maoret - SERSIS Replied

5/5/2023 at 5:10 PM

Guys...

This is what I am seeing...

If you have an antispam gateway upfront SM that has a check smtp destination test, with SM 8524 you will never get new emails...

This is a major issue.

If you have any trick to get it working, that's welcome...

Gabriele Maoret - SERSIS Replied

5/5/2023 at 5:16 PM

@Ricardo: First UNISTALL SmarterMail (you don't loose data).

Reboot...

NOW install SM 8517 again.

This is what I do.

Sébastien Riccio Replied

5/5/2023 at 6:27 PM

Hello Ricardo,

While reading your post and the latest changelog, I guess this could be this "fix" that brought the issue.

Fixed: Unquoted emails with a space are not being rejected as bad formatting during SMTP.

Looks like it broke something on the e-mail addresses parsing / syntax validation that prevent a null sender address <> to be accepted as a valid sender (often used by mailservers to send back NDR/MDN/DSN notifications).

Seems it's also used by your antispam device to first validate that a recipient address exists on the target server.

I don't know if it's also the same issue for Gabriele's fortigate recipient verification.

Kind regards.

Sébastien Riccio System & Network Admin https://swisscenter.com

Gabriele Maoret - SERSIS Replied

5/6/2023 at 1:29 AM

Hi Sebastien!

I think you have nailed the problem that created the disaster after upgrading to v. 8524 !!!

Thanks for pointing that out.

It looks like this particular FIX you mentioned (>>Fixed: Unquoted emails with a space are not being rejected as bad formatting during SMTP<<) is responsible for the problem I'm having with the Fortimail gateway...

These are 2 examples taken from the SMTP log that make me think this is the problem:

13:11:19.143 [MY FORTIMAIL IP][7707961] rsp: 220 mail.CUSTOMER.it

13:11:19.143 [MY FORTIMAIL IP ][7707961] connected at 05/05/2023 13:11:19

13:11:19.143 [MY FORTIMAIL IP ][7707961] Country code: FR

13:11:19.223 [MY FORTIMAIL IP ][7707961] cmd: HELO fortimail.MYSERVER.com

13:11:19.223 [MY FORTIMAIL IP ][7707961] rsp: 250 mail.CUSTOMER.it Hello [MY FORTIMAIL IP ]

13:11:19.254 [MY FORTIMAIL IP ][7707961] cmd: MAIL FROM: <>

13:11:19.254 [MY FORTIMAIL IP ][7707961] rsp: 501 Sender address is invalid.

13:11:19.301 [MY FORTIMAIL IP ][7707961] disconnected at 05/05/2023 13:11:19

13:12:11.623 [MY FORTIMAIL IP ][10498142] rsp: 220 mail.CUSTOMER.it

13:12:11.623 [MY FORTIMAIL IP ][10498142] connected at 05/05/2023 13:12:11

13:12:11.623 [MY FORTIMAIL IP ][10498142] Country code: FR

13:12:11.701 [MY FORTIMAIL IP ][10498142] cmd: HELO fortimail.MYSERVER.com

13:12:11.717 [MY FORTIMAIL IP ][10498142] rsp: 250 mail.CUSTOMER.it Hello [MY FORTIMAIL IP ]

13:12:11.748 [MY FORTIMAIL IP ][10498142] cmd: MAIL FROM: <>

13:12:11.748 [MY FORTIMAIL IP ][10498142] rsp: 501 Sender address is invalid.

13:12:11.795 [MY FORTIMAIL IP ][10498142] disconnected at 05/05/2023 13:12:11

From what I understand, not only Fortimail but also many other antispam gateways use the same method, so many other SmarterMail users will have the same problem if they update to v.8524.

Gabriele Maoret - SERSIS Replied

5/6/2023 at 2:17 AM

I found a Fortimail setup that solves this problem:

Modify the "Recipient Address Verification" --> "Mail from address" settings of each domain managed by Fortimail, changing from "Use system setting" to "Use domain setting" and then adding a valid sender:

I still haven't figured out how to apply this parameter globally in Fortimail's "System setting", so for the moment it has to be applied manually to each individual domain.

This adds a valid sender in place of <> and now SmarterMail 8524 correctly receives mails.

This solves the problem for Fortimail used as antispam gateway in front of SmarterMail.

I don't know if the same solution can also be applied to all antispam gateways from other vendors.

Sébastien Riccio Replied

5/6/2023 at 9:11 PM

Hello Gabriele,

I'm glad you were able to confirm the issue origin and found a workaround for your fortimail setup.

Of course the issue should be addressed on SmarterMail side as it probably also prevent delivery and other notifications to be accepted by SM.

Kind regards.

Sébastien Riccio System & Network Admin https://swisscenter.com

Gabriele Maoret - SERSIS Replied

5/7/2023 at 12:35 AM

Hi Sebastian! Yes, I too think this is a bug, not a fix...

I'll open a new discussion on this...

Douglas Foster Replied

5/7/2023 at 3:37 AM

Your log indicates the problem is with null sender. This happens on many messages. Please clear the resolved stays and pursue the bug report

Gabriele Maoret - SERSIS Replied

5/7/2023 at 5:31 AM

Hi Douglas!

This discussion is to resolve the problem with the Fortimail Gateway, not for the NULL sender.

The issue with Fortimail is resolved with the setting I explained above, so this discussion is marked as SOLVED.

I created a different discussion for the NULL sender issue.

You can find it here:

https://portal.smartertools.com/community/a95351/new-samartermail-8524-forcibily-reject-null-sender_.aspx

Gabriele Maoret - SERSIS Replied

5/15/2023 at 5:34 AM

Unfortunately the "Sender address is invalid" problem also blocks Fortimail's Quarantine Reports, and in this case I couldn't find a setting that solves the problem...

So unfortunately I'm forced to fall back on a downgrade to version 8517 (unfortunately 8531 introduces new problems that are far worse and therefore not a viable alternative...)

The problem in question, therefore, is not solved as it seemed at first...

Gabriele Maoret - SERSIS Replied

5/18/2023 at 12:16 AM

Marked As Resolution

I can confirm that this issue has been resolved (I used custom build 8536, not 8531 with the image and character encoding bug...)

Back to Community Threads

Please leave this box unchecked