Fortinet Document Library

Version:


Table of Contents

6.2.0
Download PDF
Copy Link

FortiMail open ports

Note

When operating in its default configuration, FortiMail does not accept TCP or UDP connections on any port except port1 and port2 network interfaces, which accept:

  • ICMP pings,
  • HTTPS connections on TCP/443,
  • and SSH connections on TCP/22.

Incoming ports

Purpose

Protocol/Port

Admin by Console or PC

SSH, Telnet, HTTP, SSH, Console

TCP/443 or TCP/80 or TCP/22 or TCP/23

Email Client

Quarantine View/Retrieve

TCP/80 or TCP/443 or TCP/110

SMTP or SMTPS

TCP/25 or TCP/465

POP3 or POP3S

TCP/110 or TCP/995 (server mode only)

IMAP or IMAPS

TCP/143 or TCP/993 (server mode only)

WebDAV and CalDAV

TCP/8008

FortiMail

Base port for HA heartbeat signal

UDP/20000

Synchronization control

UDP/20001

File synchronization

TCP/20002

Data synchronization

TCP/20003

Checksum synchronization

TCP/20004

HA service monitoring (remote SMTP)

TCP/25

HA service monitoring (remote HTTP)

TCP/80

HA service monitoring (remote POP3)

TCP/110

HA service monitoring (remote IMAP)

TCP/143

Clear Text Central Quarantine

TCP/514

SSL Central Quarantine

TCP/6514

FortiManager

SNMP Poll

TCP/161

AV Push

 

FortiGuard

AV Push

UDP/9443

External Email Server

SMTP or SMTPS

TCP/25 or 465

Storage: iSCI, NFS

TCP/3260 (iSCI), TCP/2049 (NFS)

Config Backup

SFTP / FTP

Mail Data Backup

NFS, SMB/CIFS, SSH, external USB (direct connected), iSCSI

Protected Email Server

SMTP or SMTPS

TCP/25 or 465

Outgoing ports

Purpose

Protocol/Port

FortiAnalyzer

OFTP

UDP/514

FortiManager

SNMP Traps

UDP/162

AV/AS Query

 

FortiGuard

AS Rating

UDP/53 or 8888, 8889

AV/AS Update

TCP/443

FortiMail

Base port for HA heartbeat signal

UDP/20000

Synchronization control

UDP/20001

File synchronization

TCP/20002

Data synchronization

TCP/20003

Checksum synchronization

TCP/20004

HA service monitoring (remote SMTP)

TCP/25

HA service monitoring (remote HTTP)

TCP/80

HA service monitoring (remote POP3)

TCP/110

HA service monitoring (remote IMAP)

TCP/143

Clear Text Central Quarantine

TCP/514

SSL Central Quarantine

TCP/6514

External Email Server

SMTP or SMTPS

TCP/25 or TCP/465

Protected Email Server

SMTP or SMTPS

TCP/25 or TCP/465

POP3 Auth

TCP/110

IMAP Auth

TCP/143

Others

Dyn DNS

TCP/80 *

DNS, RBL

UDP/53

NTP

UDP/123

Alert Email

TCP/25

LDAP or LDAPS

TCP/389 or TCP/636

RADIUS Auth

TCP/1812

NAS

TCP/21, TCP/22, TCP/2049

OCSP (for PKI user)

TCP/80, or defined by certificate

FortiSandbox / FortiSandbox Cloud

Communication

TCP/443, TCP/514

* FortiMail generates outbound traffic and sends an HTTP SYN request via TCP/80. The Fortinet RSS Feed widget provides a convenient display of the latest security advisories and discovered threats from Fortinet. Also, if an email message contains a shortened URI that redirects to another URI, it would cause FortiMail to send an HTTP SYN request to the shortened URI to get the redirected URI.

Note

FortiMail uses the following URLs to access the FortiGuard Distribution Network (FDN):

  • update.fortiguard.net
  • service.fortiguard.net
  • support.fortinet.com

Furthermore, FortiMail performs these queries and updates listed below using the following ports and protocols:

  • FortiGuard Anti-Spam rating queries: UDP/53, 8888, 8889
  • FortiGuard AntiVirus Push updates: UDP/9443
  • FortiGuard Anti-Spam or AntiVirus updates: TCP/443

FortiMail open ports

Note

When operating in its default configuration, FortiMail does not accept TCP or UDP connections on any port except port1 and port2 network interfaces, which accept:

  • ICMP pings,
  • HTTPS connections on TCP/443,
  • and SSH connections on TCP/22.

Incoming ports

Purpose

Protocol/Port

Admin by Console or PC

SSH, Telnet, HTTP, SSH, Console

TCP/443 or TCP/80 or TCP/22 or TCP/23

Email Client

Quarantine View/Retrieve

TCP/80 or TCP/443 or TCP/110

SMTP or SMTPS

TCP/25 or TCP/465

POP3 or POP3S

TCP/110 or TCP/995 (server mode only)

IMAP or IMAPS

TCP/143 or TCP/993 (server mode only)

WebDAV and CalDAV

TCP/8008

FortiMail

Base port for HA heartbeat signal

UDP/20000

Synchronization control

UDP/20001

File synchronization

TCP/20002

Data synchronization

TCP/20003

Checksum synchronization

TCP/20004

HA service monitoring (remote SMTP)

TCP/25

HA service monitoring (remote HTTP)

TCP/80

HA service monitoring (remote POP3)

TCP/110

HA service monitoring (remote IMAP)

TCP/143

Clear Text Central Quarantine

TCP/514

SSL Central Quarantine

TCP/6514

FortiManager

SNMP Poll

TCP/161

AV Push

 

FortiGuard

AV Push

UDP/9443

External Email Server

SMTP or SMTPS

TCP/25 or 465

Storage: iSCI, NFS

TCP/3260 (iSCI), TCP/2049 (NFS)

Config Backup

SFTP / FTP

Mail Data Backup

NFS, SMB/CIFS, SSH, external USB (direct connected), iSCSI

Protected Email Server

SMTP or SMTPS

TCP/25 or 465

Outgoing ports

Purpose

Protocol/Port

FortiAnalyzer

OFTP

UDP/514

FortiManager

SNMP Traps

UDP/162

AV/AS Query

 

FortiGuard

AS Rating

UDP/53 or 8888, 8889

AV/AS Update

TCP/443

FortiMail

Base port for HA heartbeat signal

UDP/20000

Synchronization control

UDP/20001

File synchronization

TCP/20002

Data synchronization

TCP/20003

Checksum synchronization

TCP/20004

HA service monitoring (remote SMTP)

TCP/25

HA service monitoring (remote HTTP)

TCP/80

HA service monitoring (remote POP3)

TCP/110

HA service monitoring (remote IMAP)

TCP/143

Clear Text Central Quarantine

TCP/514

SSL Central Quarantine

TCP/6514

External Email Server

SMTP or SMTPS

TCP/25 or TCP/465

Protected Email Server

SMTP or SMTPS

TCP/25 or TCP/465

POP3 Auth

TCP/110

IMAP Auth

TCP/143

Others

Dyn DNS

TCP/80 *

DNS, RBL

UDP/53

NTP

UDP/123

Alert Email

TCP/25

LDAP or LDAPS

TCP/389 or TCP/636

RADIUS Auth

TCP/1812

NAS

TCP/21, TCP/22, TCP/2049

OCSP (for PKI user)

TCP/80, or defined by certificate

FortiSandbox / FortiSandbox Cloud

Communication

TCP/443, TCP/514

* FortiMail generates outbound traffic and sends an HTTP SYN request via TCP/80. The Fortinet RSS Feed widget provides a convenient display of the latest security advisories and discovered threats from Fortinet. Also, if an email message contains a shortened URI that redirects to another URI, it would cause FortiMail to send an HTTP SYN request to the shortened URI to get the redirected URI.

Note

FortiMail uses the following URLs to access the FortiGuard Distribution Network (FDN):

  • update.fortiguard.net
  • service.fortiguard.net
  • support.fortinet.com

Furthermore, FortiMail performs these queries and updates listed below using the following ports and protocols:

  • FortiGuard Anti-Spam rating queries: UDP/53, 8888, 8889
  • FortiGuard AntiVirus Push updates: UDP/9443
  • FortiGuard Anti-Spam or AntiVirus updates: TCP/443