Support for API based email delivery
-
Hello,
Does anyone knows if it is planned to have a notification option to send email using web API based services like Amazon AWS SES or Sendgrid (has a free plan of 100 emails sent per day)?
It will help us send emails indirectly, hence not needing to expose the Firewall's public IP in a public SPF record and its IP will not be part of the SMTP headers of the email delivery - hence we will be able to keep the FW hidden from the world (when needed) and avoid attacks like Denial of Service, port scans and so on.
-
There are no plans to add that as far as I know. You should create a feature request:
https://redmine.pfsense.org/Steve
-
@stephenw10
Thanks, added now a feature request at https://redmine.pfsense.org/issues/14903 -
OK, I found a way to send emails from pfSense via SendGrid, using the current pfSense configuration (version 2.7.0)
(SendGrid, as noted above, has a free plan that enables you to send 100 email per day, via its service, for free, which should be, I think, more than enough to get email notifications from your pfSense device).
The delivery is done via SendGrid's SMTP server, but the security advantaged of services like SendGrid is kept – as the actual delivery does not include the IP address of the sending pfSense device (like when sending via web API); but it DOES INCLUDE the name of the pfSense device, like pfsense.home.arpa, so notice to change the device's name if you wish to avoid identification by the recipients of the notification emails.
You can change the device name at System > General Setup.First, some preparations at SendGrid:
- Create a SendGrid user account at https://signup.SendGrid.com/; or login if you already have an account there - https://app.SendGrid.com/login/
- Create an API key, how to - https://docs.SendGrid.com/ui/account-and-settings/api-keys
2.1. It is better, for both security reasons and for operational reasons – to have a unique API key for pfSense, even for each pfSense device
2.2. Grant the API key the minimal permissions needed to send email – Settings > API Keys. For "API Key Permissions" select "Restricted Access". For "Access Details" open the "Mail Send" section and only enable "Mail Send". Save the change.
2.3. Save the API key value at your records offline, you will need to use it as the SendGrid account "password" at pfSense. Once the API key is generated and saved, you will not be able to see the key's value! - If you enabled " IP Access Management" (limit delivery only from allowed IP address(es)), then Go to Settings > IP Access Management. Add the IP address of the pfSense device, the IP that is facing the Internet and will be the one to communicate with the SendGrid email server
Generally follow the instructions on the following post by SendGrid, "Integrating with the SMTP API" (although I think it is better to use port 465, as it uses a more secure method than the one of port 587)
https://docs.SendGrid.com/for-developers/sending-email/integrating-with-the-smtp-apiDO NOT do what is written in the following post, titled "How to Send an SMTP Email", it is for sending via SendGrid emails using Telnet to SendGrid's SMTP server, which needs the input to be formatted as Base64.
Base64 format will NOT be accepted by SendGrid when sending emails via pfSense, and you will get an error message like
"
Could not send the message to <email address> -- Error: PLAIN authentication failure [SMTP: Invalid response code received from server (code: 535, response: Authentication failed: Bad username / password)]
"
https://docs.SendGrid.com/for-developers/sending-email/getting-started-smtpAt pfSense:
- Go to System > Advanced > Notifications
- Of course Uncheck "Disable SMTP"
- Add to "E-Mail server" the value of smtp.SendGrid.net
- For "SMTP Port of E-Mail server" I used 465 (SMTP with TLS, most secure)
- (Connection timeout to E-Mail server – whatever you wish)
- Secure SMTP Connection – Enable-Checked
- Validate SSL/TLS – Enabled-Checked
- (From e-mail address – whatever you wish)
- (Notification E-Mail address – whatever you wish)
- Notification E-Mail auth username (optional) – this is NOT optional; you have to insert here exactly the system word of "apikey" (without the quotations). This tells SendGrid that you are not authenticating as a specific regular user, but as an API key
- Notification E-Mail auth password – insert here the exact relevant API key value that you recorded when your created it. It is acting as your "password"
- Notification E-Mail auth mechanism – Select the fixed value of "PLAIN"
- Scroll down to the bottom of the page and click "Save"
- Once the page reloaded – Click the "Test SMTP Settings" button to see if you receive a test email to the target email address
If you get a warning about network issues, like "Error: Failed to connect to ssl://smtp.SendGrid.net:465 [SMTP: Failed to connect socket: Operation timed out (code: -1, response: )]":
- Test the general ability to reach the target server at the target port, using pfSense's port test at Diagnostics > Test Port
- If the above port test also fails (but generally you have network admin access to pfSense from the Internet, or even pfSense can perform a check to see if it has a new version (at Status > Dashboard > System Information widget > Versions section > click the arrows circle icon)), I suggest approaching the support of the ISP/Cloud host firm. Many of these firms block by default access to SMTP ports on the Internet, to prevent spam delivery from their systems by their customers
Notice that you do not need to create any Firewall rule for the notification emails to communicate with the target SMTP server, it will be allowed internally by pfSense, based you the notifications configuration you enabled and adjusted.
Good luck!