pfSense acting as SMTP Relay via port 25
-
Hi all
I have some apps that is not able to play with the new security rules imposed by the normal public smtp relay servers,
Up to now I was using google and I have google enabled to allow less secure apps, but they closed that door the last week.
I want to run a SMTP relay on my pfSense, to simply forward email out. The app only allows me to specify originating email address, target email address, smtp relay address and then it assumes port 25.
Anyone help/advise.
please don't tell me this is bad, i must change my app, whatever... I have restrictions and this is what I need to do.
G
-
@georgelza It might be easier to install an SMTP server on a computer on your LAN, and port forward port 25 to it (optionally, by source IP if possible). Then that SMTP server can be configured to connect out to some sort of mailbox or mail relay service, with credentials. Many ISPs block port 25 outbound, so relaying out through something else might be required.
-
@georgelza said in pfSense acting as SMTP Relay via port 25:
but they closed that door the last week.
So you can not just set an app password.
https://support.google.com/accounts/answer/185833
I have a few things that use this password.. Here are couple of using it, and last time they did.. Tautulli sends out an newsletter ever day..
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
don't understand why I have to port forward port25.
My internal clients need to get to port25... from where it then goes out via whatever outbound port the mail server will use send the emails to target email server.
There is nothing for a ISP to block here, what am I missing.
-
John, nope, I logged onto smtp using my gmail username/password. from there it then send/relay'd via port25
This ability to use port25 is now gone. the client/app in question can not talk to the new ports which include higher security/encryption things.
G
@johnpoz said in pfSense acting as SMTP Relay via port 25:
@georgelza said in pfSense acting as SMTP Relay via port 25:
but they closed that door the last week.
So you can not just set an app password.
https://support.google.com/accounts/answer/185833
I have a few things that use this password.. Here are couple of using it, and last time they did.. Tautulli sends out an newsletter ever day..
-
@georgelza said in pfSense acting as SMTP Relay via port 25:
don't understand why I have to port forward port25.
My internal clients need to get to port25... from where it then goes out via whatever outbound port the mail server will use send the emails to target email server.
I assumed you were connecting from outside the network. If not then I would definitely set up an SMTP server on a computer in your network and have the software connect to that. If you can even figure out how to install an SMTP server on pfSense itself, I would think that would be likely to not survive a pfSense upgrade at some point, particularly when the FreeBSD version changes.
There is nothing for a ISP to block here, what am I missing.
Many ISPs, especially on residential connections, block port 25 outbound in order to prevent spam. So, your own SMTP server might still need to connect out to some other service on port 587 and relay the emails...a POP account or SMTP2Go or a service like that.
-
There is no package to do that nor will there be. It's a security nightmare.
As others have said, you are not going to be able to relay port 25 out as you likely won't be able to connect to anything on port 25. Lots of ISPs are filtering it out at the edge and lots of mail servers would reject the mail even if you got it there.
You need a local mail "smart host" style relay on a dedicated system (a small VM or a Pi might do) that can accept bare port 25 connections only from your local network and then relay to your actual upstream server on the submission port (tcp/587) with authentication. There are plenty of tutorials out there for doing that on a pi and other setups.
But it isn't going to happen on the firewall.
-
You can use SMTP2GO, and you can force traffic to port 25 in the firewall forward to 2525 which will work. I have done that before.
I also use spamtitan as an antispam server and you can set the incoming IP to be allowed to send as a certain domain\email address. If your ISP blocks 25, then the same rule to route traffic to 25 to say 2525 or some other port you can easily set up.
There is nothing inside PfSense that would be a mail relay as default, you need a 3rd party product. If your ISP allows port 25 traffic, I would set a rule to only allow that server's IP to send outbound 25 and have it forced to go to that 3rd party.
Also like other peopke said, some email gateways/relays will take in unsecured port 25 from locked inside the network and be able to forward that to more advanced services like Office365 or Google. However, you need to be smart with these products only allow those legacy services to use it and not every workstation on the network.
-
@johnpoz How do i sign up for this newsletter? I use tautulli also
-
@flat4 you don't sign up for it - you set it up..
https://github.com/Tautulli/Tautulli/wiki/Notification-Agents-Guide#email
You will notice the gmail instructions call out using app password
Then you setup which of your users get the "newsletter" I use BCC instead of CC so that users don't see all the others users email addresses.
