pfSense Email notification

SteveITS · Apr 5, 2022, 7:46 PM

@pdrallod If your ISP doesn't block outbound port 25 you can try using your email address's MX record as a smart host, with no credentials. (basically, inbound email to yourself). Port 25 is likely blocked by most residential and many business ISPs though.

Gertjan · Apr 7, 2022, 1:36 PM

@steveits

Port 25 ?
That port really should only be used for originating and receiving mail servers.
"Mail box clients", that you me and everybody else should use the ports reserved for that usage.

Here it is :

and yes, the 'password' is not my gmail mail password.
I created years ago a password "app password ?" especially for this pfSense setup.

Except for the password story, this mail setup is 100 % vanilla.
Port 465 delivering mail over TLS from the start, using identification. That's the default these days.
smtp.gmail.com looks pretty logic also.

I'm not aware of the fact that gmail is going to cancel this functionality.

Automated boxes like pfSense, your hair dryer, central hating, front door cam, etc etc should not use your gmails (email) password. You have to create additional passwords, gmail will generate the for you, and you have to add some info so you will know in the future what and device is using what password. This permits you to have access to your gmail account with your own password, and remove/block/etc devices that you don't own/control any more.

Why an app or device password ?
If the device falls into wrong hands, and the password was stored in clear, you have a problem.
If you change your mail password, you have to change also all the devices where you use the same gmail password. That's tedious, and you will always forget one, which means : no more notifications from that device (and gmail gets hit with many login attempts from this device that will fail).

flat4 · Apr 7, 2022, 1:36 PM

@gertjan try port 587

Gertjan · Apr 7, 2022, 1:57 PM

@flat4 said in pfSense Email notification:

try port 587

Submission ? Why ?
Very useful in the past. 587 is old and only needed for devices that have issues with TLS. You should not use these any more.

Btw : my setup works without issues, and has been crafted as per 'gmail''s mail instructions.

Submission uses non-TLS to start with, example :

220 mail.my-domain.fr ESMTP Postfix
EHLO me.tld
250-mail.my-domain.fr
250-PIPELINING
250-SIZE 31457280
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING

mail.my-domain.fr is one of my own domain names, with a mail server.

I could enforce TLS usage at this moment, so the only command the mail client can issue is "STARTTLS". After that, the connection will be TLS. Autenfication will follow, and then the mail upload.
Or, if I'm not enforcing TLS because my client app (device) doesn't handle TLS, or just an ancient version like SSL2 or SSL3, I could accept a 'clear' mail upload.
I've no ancient devices or software any more, so I don't need 587 any more.

It '465' with TLS 1.3 from bit one for me now.
Google - gmail also prefers 465 by far.

flat4 · Apr 7, 2022, 2:03 PM

@gertjan Just from experience 465 would not would not work so I tried 587 and it worked. At that point I didn't care if it was SSL/TLS i just needed to work,

Gertjan · Apr 7, 2022, 2:30 PM

@flat4 said in pfSense Email notification:

not would not work

Send email from a printer, scanner, or app

and scroll down on that page until you reach :

and unfold that part.

IMHO, option 3 is the best one.

Note : I'm not Google, don't know if they 'firewall' IPs - or whatever system they use to protect their IPs.

Btw : If really needed, even port 25 can be used. That is, if your ISP let you do so.

NogBadTheBad · Apr 7, 2022, 2:48 PM

I followed this and it works:-

https://forum.netgate.com/topic/111569/howto-notifications-with-gmail-smtp

flat4 · Apr 7, 2022, 3:11 PM

@gertjan I no longer use gmail but when i did, i used an app password and port 587. That's why I suggested it since port 465 would not work at that time.

Gertjan · Apr 7, 2022, 3:14 PM

@nogbadthebad said in pfSense Email notification:

https://forum.netgate.com/topic/111569/howto-notifications-with-gmail-smtp

#meto

That's how I created the image shown above.

SteveITS · Apr 7, 2022, 3:18 PM

I think OP is referring to:
https://support.google.com/accounts/answer/6010255?hl=en
"To help keep your account secure, starting May 30, 2022, Google will no longer support the use of third-party apps or devices which ask you to sign in to your Google Account using only your username and password.

Please note this deadline does not apply to Google Workspace or Google Cloud Identity customers. The enforcement date for these customers will be announced on the Workspace blog at a later date."

Edit: I clicked on the sections, and it also says, "Because less secure apps can make your account more vulnerable, Google will automatically turn this setting off if it’s not being used."
and
"If "Less secure app access" is turned off for your account, you can turn it back on. We recommend switching to more secure apps instead."

So that part doesn't sound at all like they're turning it off.

Gertjan · Apr 7, 2022, 9:34 PM

@steveits
There is also a difference between accessing the entire Google 'account' or just sending a mail.
We'll see what happens.

jimp · Apr 11, 2022, 1:45 PM

See the recent note at the bottom of the docs page section on e-mail notifications:

https://docs.netgate.com/pfsense/en/latest/config/advanced-notifications.html#smtp-e-mail

Your account must have 2-step verification on and then you must create an app password for it.

I'm not sure if you could create an app password without 2FA in the past, but the first thing I'd check is to ensure that 2FA is enabled for the account. They may have locked that part down. It wouldn't surprise me if you had to make a new app password after enabling 2FA as well.

Gertjan · Apr 11, 2022, 2:25 PM

I just checked my account.
I'm using F2A for many years already.

This is what I found :

So, I'm actually using these "App passwords", that is, my 2 pfSense are using them, as the image shows (Apr 10 & Apr 9).

PDrallod · Apr 14, 2022, 4:17 PM

@steveits You are correct that my original post was referring to Google's May 30, 2022 deadline turning off third party app support. I think perhaps I read more into this than I should - but we'll know for sure in about 6 weeks. In the meantime - I have set up 2FA and set up an App password for pfSense. Notification is all working well for now. Thanks to all for their advice.

I do wish pfSense provided a little more control of which notifications to send, but that is a different topic.