FortiMail Troubleshooting: SMTP Failure


The Troubleshooting recipes are here to assist you in diagnosing and remedying any problems you experience when using your FortiMail unit.

This recipe guides you through the process of troubleshooting SMTP problems, such as recipient verification failure and 451 error messages.


Problem #1: Recipient Verification Failure

Recipient verification through SMTP fails.

The Solution

If recipient verification fails despite enabling Recipient Address Verification there are some possible causes:

  1. The SMTP server may not be available
  2. The network connection between the FortiMail and the SMTP server is not reliable.
  3. The SMTP server does not support ESMTP.EHLO, as defined in ESMTP, is a part of the SMTP verification process. If the SMTP server does not support ESMTP, the recipient verification will fail.
  4. The server is a Microsoft Exchange server and SMTP recipient verification is not enabled and configured.

When the SMTP server is unavailable for recipient verification, the FortiMail unit returns the 451 SMTP reply code. The email would remain in the sending queue of the sending MTA for the next retry.

Problem #2: 451 Error Message

SMTP clients receive the message 451 Try again later.

The Solution

The two primary reasons you may be experiencing a 451 error message is:

  • The greylist routine encountered an unknown sender or the greylist entry expired for the existing sender and recipient pair.This behavior is normal and will typically resolve itself when the SMTP client retries its delivery later during the greylist window.
  • Recipient verification is enabled and the FortiMail unit is unable to connect to the recipient
    verification server. There should be some related entries in the antispam log, such as Verify <> Failed, return TEMPFAIL. If this occurs, verify that the server is correctly configured to support recipient verification and that connectivity with the recipient verification server has not been interrupted.

Problem #3: Temporary Failure SMTP reply Code

The FortiMail unit replies with a temporary failure SMTP reply code and the even log shows Milter (fas_milter): timeout before data read

The Solution

The timeout is caused by the FortiMail unit not responding within 4 minutes.

Slow or unresponsive DNS server response for DNSBL and SURBL scans can cause the FortiMail unit’s antispam scans to be unable to complete before the timeout. When this occurs, the FortiMail unit will report a temporary failure. In most cases, the sending MTA will retry delivery later. If this problem is persistent, verify connectivity  with your DNSBL and SURBL servers, and consider providing private DNSBL/SURBL servers on your local network.