Appendix C: Port Numbers

Firewalls (if any) between FortiMail and other devices may need to open the following inbound (listening) and outbound ports in order to communicate with other devices. Required port numbers vary by which features you enable.

Default port numbers are listed. Many are configurable. See the links in each row of:

Incoming (listening) port numbers
Outgoing port numbers

In its factory default configuration, FortiMail does not accept packets on any port except port1 and port2 network interfaces, which only accept:

ICMP ping
HTTPS connections on TCP/443 to the administrative GUI
SSH connections on TCP/22 to the CLI

Incoming (listening) port numbers

FortiMail features listen for communications from other devices on these ports.

If port forwarding is enabled, then the FortiMail unit listens on more port numbers that are not associated with FortiMail features, but instead are forwarded to other devices on the network. See Configuring port forwarding. If traffic capture is enabled, then the FortiMail unit listens on port numbers that are specified by the filter. See Traffic capture.

Default Port Number	IP Protocol	Source IP address	Purpose
80	TCP	Administrators Email users	Administrative GUI (HTTP) Quarantine access Webmail (server mode only)
443	TCP	Administrators Email users	Administrative GUI (HTTPS) REST API Quarantine access Webmail (server mode only)
22	TCP	Administrators FortiManager	Administrative CLI (SSH) Configuration and firmware push
23	TCP	Administrators	Administrative CLI (Telnet)
161	UDP	FortiManager	SNMPquery
25	TCP	Email servers, relays Email users	Email relay/proxy/server (SMTP) Spam sample submission by email users
465	TCP	Email servers, relays Email users	Email relay/proxy/server (SMTPS) Spam sample submission by email users
587	TCP	Email users	Email sending (SMTP for email users to send email separately from relays/servers)
143	TCP		Email (IMAP; server mode only) Email archive access
993	TCP		Email (IMAPS; server mode only) Email archive access
110	TCP		Email (POP3; server mode only) Quarantine access
995	TCP		Email (POP3S; server mode only)
443	TCP	FortiMail	HA centralized monitoring
6688	TCP		HA centralized monitoring
20000	UDP and TCP		HA heartbeat signal (base port)
20001	UDP and TCP		HA synchronization control
20002	TCP		HA file synchronization
20003	TCP		HA data synchronization
20004	TCP		HA checksum synchronization
25	TCP		HA service monitoring (SMTP)
80	TCP		HA service monitoring (HTTP)
110	TCP		HA service monitoring (POP3)
143	TCP		HA service monitoring (IMAP)
9443	UDP		(Deprecated) FortiGuard Antivirus push
443	TCP	FortiGate	Security Fabric (HTTPS management)

Outgoing port numbers

FortiMail communicates to these port numbers on other servers and devices.

Default Port Number	IP Protocol	Destination IP Address	Purpose
443	TCP	Directory server	Authentication (HTTPS SAML SSO)
389	TCP and UDP		Authentication (LDAP)
636	TCP		Authentication (LDAPS)
1812	TCP		Authentication (RADIUS)
143	TCP	Email server	Authentication (IMAP)
993	TCP		Authentication (IMAPS)
110	TCP		Authentication (POP3)
995	TCP		Authentication (POP3S)
25	TCP		Authentication (SMTP) Email delivery to protected domains (SMTP) Recipient address verification Delivery failure notifications (DSN) Alert email
465	TCP		Authentication (SMTPS) Email delivery to protected domains (SMTPS) Recipient address verification Delivery failure notifications (DSN) Alert email
21	TCP	Network attached storage or file share server	Backup of configuration (FTP)
22	TCP		Backup of configuration (SFTP/SSH)
22	TCP		Backup of mailboxes (SFTP/SSH)
445	TCP and UDP		Backup of mailboxes (SMB/CIFS)
3260	TCP		Backup of mailboxes (iSCSI)
2049	TCP and UDP		Backup of mailboxes (NFS)
2049	TCP and UDP		External storage for mailboxes and quarantine (NFS)
3260	TCP		External storage for mailboxes and quarantine (iSCSI)
443 or 8890	TCP	Fortinet	FortiGuard Antivirus engine and virus signature updates (see also Required URLs for FortiGuard services) License validation
53 or 8888	UDP or TCP	Fortinet	FortiGuard Antispam rating query
53	UDP	DNSBL server	Third-party DNSBL/RBL spam rating query
53	UDP	SURBL server	Third-party SURBL URL rating query
53	UDP	DNS server	Domain name resolution (DNS) Record queries such as MX and DKIM
123	UDP	Fortinet Time server	Time synchronization (NTP)
443	TCP	FortiMail	HA centralized monitoring
6688	TCP		HA centralized monitoring
20000	UDP and TCP		HA heartbeat signal (base port)
20001	TCP		HA synchronization control
20002	TCP		HA file synchronization
20003	TCP		HA data synchronization
20004	TCP		HA checksum synchronization
25	TCP		HA service monitoring (SMTP)
80	TCP		HA service monitoring (HTTP)
110	TCP		HA service monitoring (POP3)
143	TCP		HA service monitoring (IMAP)
514	TCP		Centralized quarantine (clear text)
6514	TCP		Centralized quarantine (secure)
8013	TCP	FortiGate	Security Fabric (HTTPS to upstream) FortiView
443	TCP	FortiNDR	File scan
443	TCP	FortiSandbox	URL scan (HTTPS)
514	TCP	FortiSandbox	File scan (OFTPS)
443	TCP	FortiManager	Registration, configuration backup/pull, and firmware pull
162	UDP	FortiManager	Event traps (SNMP)
514	UDP and TCP	FortiAnalyzer Syslog	Logging
80 or 443	TCP	Dynamic DNS servers	Dynamic DNS (HTTP or HTTPS)
80	TCP	Web servers	Resolution of tiny URLs into the redirect target URL
80, or port number in OCSP certificate	TCP	Directory or PKI servers	Certificate revokation query

Required URLs for FortiGuard services

Firewalls and web filters between the FortiMail unit and the Internet must allow requests to the following URLS, which are used by FortiMail features that connect to Fortinet's FortiGuard services:

update.fortiguard.net
securewf.fortiguard.net (global) or securewf.fortiguard.net (United States only)
service.fortiguard.net (global) or usservice.fortiguard.net (United States only)