PfSense 2.3.2 and email notifications
-
Upgraded to pfSense 2.3.2 and email notifications have stopped working.
Error in the log is/system_advanced_notifications.php: Could not send the message to blah@blah.com – Error: could not connect to the host "172.xxx.xxx.6": ??
I have not changed the settings on the firewall or the mail server.
The settings used on the firewall look correct and I have checked the account used to send notifications is still enabled and the password still works.
I have found this bug https://redmine.pfsense.org/issues/5604, which could be related
The only thing I can think of that could be causing an issue is that our mail server requires an encrypted password rather than plain, I have tried the Login rather the Plain option on the notifications set up page but it made no difference.
Any suggestion on how to resolve this issue?
Disabling encrypted password for the user account is not an option with the mail server as it's a global option.
-
"Error: could not connect to the host "172.xxx.xxx.6": ??"
Doesn't seem like an auth issue, more like just can not even connect. Is this server outside or inside your network? Have you validated you can talk to this server from your pfsense box? Are you using fqdn in the notifications or IP? can you post up your notification settings.
For example see mine using gmail. And working just fine.
-
Mail server is inside the network, firewall can ping mail server from the ping page in pfSense.
PING 172.xxx.xxx.6 (172.xxx.xxx.6) from 172.xxx.xxx.250: 56 data bytes
64 bytes from 172.xxx.xxx.6: icmp_seq=0 ttl=128 time=0.283 ms
64 bytes from 172.xxx.xxx.6: icmp_seq=1 ttl=128 time=0.257 ms
64 bytes from 172.xxx.xxx.6: icmp_seq=2 ttl=128 time=0.333 ms–- 172.xxx.xxx.6 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.257/0.291/0.333/0.032 msHave tried both IP and FDNQ, no difference.
All three email in the screen shot are the same and it's definitely working, have checked spam, etc.
-
If your email server is inside the network, I assume your 172 is rfc1918 ie 172.16-31 why are you obfuscating it?
So you can ping it thats good.. Can you hit on 465? Why don't you test it with your openssl client and see what happens??
example..
[2.3.2-RELEASE][root@pfSense.local.lan]/root: openssl s_client -connect smtp.gmail.com:465 CONNECTED(00000004) depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority verify return:1 depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify return:1 depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2 verify return:1 depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = smtp.gmail.com verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com i:/C=US/O=Google Inc/CN=Google Internet Authority G2 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIEgDCCA2igAwIBAgIITC5SWm6/x1AwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYwOTAxMTM0NTAwWhcNMTYxMTI0MTM0NTAw WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOc210 cC5nbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGamdn T/x6Hj0GXicAIwtKhHVson1920lcW3ByPIE1ubxXBWQOONfkHVT+RKnaq4NKC2aT d+e0fBPGaXPmgt09llF1113VSy/jhoaFE4hHoiPeeudDPt8YGSL+Ce+pp9zXR6L7 QwRRMBpYxOxL10hi1nHCDnqYBROpIPUilcCelnTO7tBLySQJ8qtzokiveZg1hMPY CVZYTBFTVObQ/GCWVhmWR5V63WUIXDco8SrXtCFwd6wlqhJTN/NiWT1EhJRoF73x YxQN6LxlqlYrNRKf47PhEk6W3isiXpFAN5NbhefAj4fYXkgP0gePky5cZlYmeO54 1Ipnb7S/Rk8n8raRAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI KwYBBQUHAwIwGQYDVR0RBBIwEIIOc210cC5nbWFpbC5jb20waAYIKwYBBQUHAQEE XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0 MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G A1UdDgQWBBTKpyClaxLZoImedINn7UZgS8OxUTAMBgNVHRMBAf8EAjAAMB8GA1Ud IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEADxLJypSiV0DxqoLO Hf5fex8Am3Ehtkq/PpLcRXgiqYYA+FmxTZh40Ns6XZJepIgDzKNSnR1zFvozpRRv YY7Xid+IGleNy4yBaa9sz7NCiNdtqTxukgK31SX0yfh8sHqc6uHARv0PLzHsU14M ja+8tK+3Myb1aJv72eKVQ491f+CPX03VsxK/+1k51OAHq/LAHv1ql9KJDVQC1osw T3Ia2rYD+dg5v+BOR7zgWS5Z5aCCm2zaYQpmDmq/+DPkSRRC8ZlbZALKyk3kpB6C 98IwEOCgiCTaP/uIUnnR2miv+w07yublBp45jV5fcCZdkmFuMlqiAnQGZ59U6mwV NQsZNA== -----END CERTIFICATE----- subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2 --- No client certificate CA names sent --- SSL handshake has read 3727 bytes and written 417 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 14E429EF37274630608B620D24AC9554F896DBFE95204B031E715927A8CFE678 Session-ID-ctx: Master-Key: 45E73165670AB874A35A87CCE798636515BCE7B5748D19BE6C6CCC87E8F3EB97DAB9378BE4605D8C1685EBD2243775E2 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 100800 (seconds) TLS session ticket: 0000 - 4c ec 6c cb 65 2b d7 e7-e5 5a 37 eb d7 99 df 25 L.l.e+...Z7....% 0010 - ea 9a ca d0 dc be 1b 85-ad e2 a0 57 cd 37 49 33 ...........W.7I3 0020 - 08 db 69 ac b2 d6 7a ce-9c 5c 6b 95 94 9f 91 36 ..i...z..\k....6 0030 - 17 df 7c 75 32 b0 c2 b2-d2 73 4b c6 d7 92 5f dd ..|u2....sK..._. 0040 - db 24 44 4a ca d7 74 ae-b0 ed 37 80 7c ec 5a 9f .$DJ..t...7.|.Z. 0050 - 2b c8 cc 6a 0c 5d 04 41-7e 31 e2 48 43 8a 1a 3e +..j.].A~1.HC..> 0060 - c2 ab b1 11 ea 70 47 3b-b7 55 c1 e4 31 22 ba 55 .....pG;.U..1".U 0070 - 80 1f 2a 68 3e b8 39 b2-3b 3d 81 56 f7 f1 37 dd ..*h>.9.;=.V..7. 0080 - 37 3a 0d 0b 45 62 87 35-38 9a 4d df fc bf 94 3e 7:..Eb.58.M....> 0090 - 1b 4f bd 92 98 0e 8a 1d-a8 03 64 6c e7 dc 72 01 .O........dl..r. 00a0 - ca ad 37 e2 ..7. Start Time: 1473260826 Timeout : 300 (sec) Verify return code: 0 (ok) --- 220 smtp.gmail.com ESMTP u76sm3184172ita.15 - gsmtp helo test.test.com 250 smtp.gmail.com at your service
Then you can send your commands and see what you get back from your email server or that very min that it connects without any issues with the certs, etc.
If I had to make a wild guess if your using IP and not a fqdn, unless you setup SAN for that IP on your certs they are prob failing, etc. Are you using a self signed cert or public signed trusted CA?
-
If the mail server is using a certificated signed by a private CA, then you will not be able to establish a TLS/SSL connection.
-
If the mail server is using a certificated signed by a private CA, then you will not be able to establish a TLS/SSL connection.
Or if the mail server is using a certificate signed by a CA that has been removed from /usr/local/share/certs/ca-root-nss.crt.
Such as this one: https://forum.pfsense.org/index.php?topic=115884.msg644711#msg644711
The Full Thread:
SSL/TLS Option Breaks My SMTP Notifications
https://forum.pfsense.org/index.php?topic=115884.0 -
If your email server is inside the network, I assume your 172 is rfc1918 ie 172.16-31 why are you obfuscating it?
Force of habit I'm.
Issue is solved read the thread posted by dennypage.
Disabled SSL and notifications are now working again.Thanks for all the help