SMTP server on pfSense.

apetrenko

@daniel_hyde It works, doing deeper testing.
About the e-mail: I need to send 1-10 e-mails, it is iPMI/iDRAC alerting which can use only plain SMTP to port 25.

Daniel_Hyde

@apetrenko

You can get cloud based relays that can do this, you can pick the port you send on and whether you want or encryption or not.

Thanks
Dan

Gertjan

@apetrenko said in SMTP server on pfSense.:

I need to send 1-10 e-mails,

A postfix server for

... to send 1-10 e-mails (per day)

why not ditching them into a gmail ? Free phone popup notification as a bonus.

apetrenko

@gertjan because you will be surprised when you will try to set it up for iDRAC on Dell Server -- it can send only to plain SMTP to port 25.

rcoleman-netgate

@apetrenko You don't want to run SMTP services on your firewall. You could make a VPN tunnel and route SMTP that way if you have to. That's what I've done with mine.

SteveITS

@apetrenko said in SMTP server on pfSense.:

I have ~200 IPMI interfaces and each of them need to send logs to port 25 to plain SMTP.

I would use a hostname those can resolve, and then you can move it to a different SMTP server/IP later.

I see both sides of the discussion. We used to use the Windows Server SMTP feature before it was removed in 2022, and relay that out to 365 or Google or whatever. Using an internal SMTP allows for queuing messages from pfSense when Internet is down. Having something internal would let pfSense queue those until it connects and can relay out. Access to port 25 could be controlled by firewall rule, though the default LAN:any rule would have it open. Perhaps a separate ACL-type setting.

Alternately there are plenty of ways to install a free SMTP server on Windows. At some point in life someone recommended hmailserver.com but I haven't really looked at it.

mvikman

@apetrenko

How old are those Dell servers? According to Dell's instructions, you can set port and authentication for SMTP, atleast on iDRAC7 and newer...

apetrenko

@mvikman authenticated, not encrypted. there is no SSL/TLS support.

rcoleman-netgate

@apetrenko highly recommend you either configure your own "satellite" SMTP server internally on your network or use a VPN to communicate to one that will work on SMTP port 25 w/o encryption.

mvikman

@apetrenko

iDRAC9 supports TLS after firmware upgrade, this is from Dell KB Article 000131098:

After iDRAC is upgraded to version 4.00.00.00, you may stop receiving encrypted email alerts from iDRAC, if the external email server does not support encryption. iDRAC firmware version 4.00.00.00 introduces a user-selectable encryption option and the default protocol is StartTLS. To start receiving email messages again, disable the email encryption by using the following RACADM command: "racadm set idrac.RemoteHosts.ConnectionEncryption None"

Gertjan

@apetrenko said in SMTP server on pfSense.:

@gertjan because you will be surprised when you will try to set it up for iDRAC on Dell Server -- it can send only to plain SMTP to port 25.

I know.
I've an old T350 PowerEdge with an iDRAC, and yes, it has very little capable mail send settings.
It presumes an open port 25 and a host name. That was how things were done in the past.

Maybe I can upgrade it .... never looked into that.

If I had to, I would ask my NAS to 'play' mail relay : probably way easier/faster to set up.

The fact that a simple pfSense upgrade or even patch can disable or break an installed postfix, or an upgrade of pfSense blows postfix out of the water, is a no go.

apetrenko

Guys, Don't tell me what I should change in my infrastructure, what I have to upgrade, and what I need to do. if you ever certify your infra by PCI/SoC/ISO you probably know, how hard and expensive to "add satellite server to send e-mail" or "upgrade your idrac to V1.23.456.789" in the middle of the complaint period.

I found a better and simple solution: https://github.com/wiggin77/mailrelay installed on pfSense.

Works well and is exactly what I need: receive an e-mail by plain SMTP inside the network and send it to AWS mail relay by STARTTLS to 587.

Gertjan

@apetrenko said in SMTP server on pfSense.:

what I have to upgrade

Wasn't telling you what to upgrade. Don't know your hardware.
And with "PCI/SoC/ISO" all bets are off. Like patching a firewall with a mail server ;)

I do like the solution you found

bingo600

Won't the above solution need some kind of golang runtime/libraries to be installed ??
How do you ensure those packages are kept up2date ??

rcoleman-netgate

@apetrenko said in SMTP server on pfSense.:

I found a better and simple solution: https://github.com/wiggin77/mailrelay installed on pfSense.

Sideloading packages into pfSense will likely fail or disappear when you upgrade the platform. If you reach out to TAC you will be told to remove any repos and sideloaded programs before we will ever look at your machine.

apetrenko

@bingo600 binary is static. update package -- standard sysadmin task. Right?

apetrenko

@rcoleman-netgate since updates are coming no more often than 1 time per 3-5 years, I'm safe on this problem. :) I have an ansible for installing and configuring some 3rd party stuff on my pfsense.

And I don't think USAF will have any interest to my router.
[Tactical Air Command (USAF)]

Question to netgate: why are you so interested to prevent me to use smtp relay on pfSense box? You have no obligation, I'm using the "community edition". Everything on my responsibility. Why are you so much stirred up against my solution?

rcoleman-netgate

@apetrenko said in SMTP server on pfSense.:

Question to netgate: why are you so interested to prevent me to use smtp relay on pfSense box? You have no obligation, I'm using the "community edition". Everything on my responsibility. Why are you so much stirred up against my solution?

Any add-on to your system comes with its own unknowns and potential security holes that could be exploited.

If you want to keep a fully secure system the best route is to not add outside (untested) binaries and leave yourself secure by putting the job of a mail server onto a ... mail... server... and not a firewall.

jimp

@apetrenko said in SMTP server on pfSense.:

Question to netgate: why are you so interested to prevent me to use smtp relay on pfSense box? You have no obligation, I'm using the "community edition". Everything on my responsibility. Why are you so much stirred up against my solution?

Because this is a security product and e-mail services have a long history of being a gigantic attack surface full of holes and bringing more risk than anyone sane would want to take on. Most other add-on services are either only still around because they're entrenched (and hard to get people to stop using) or because the risk is relatively low by comparison.

If you want to do it, you're on your own. That kind of service does not belong on a firewall.

EOT. Locking.