Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Email Notifications Setup Trouble

    Scheduled Pinned Locked Moved
    General pfSense Questions
    4
    6
    396
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CarRamrod
      last edited by

      Hello,

      I'm getting the following error when trying to Test SMTP Settings:

      ×Could not send the message to username@xxxxxxxx.com -- Error: Failed to connect to ssl://xxxxxxxx:587 [SMTP: Failed to connect socket: stream_socket_client(): Unable to connect to ssl://xxxxxxxx:587 (Unknown error) (code: -1, response: )]

      Any ideas what the Unknown error could be? I'm not even sure where to start looking.

      I've validated authentication information and connectivity to the email server. I've also validated being able to relay email through the email server.

      Any help is appreciated.

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @CarRamrod
        last edited by

        @CarRamrod If you have the TLS option checked try unchecking it.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        C 1 Reply Last reply Reply Quote 0
        • C
          CarRamrod @SteveITS
          last edited by CarRamrod

          @SteveITS When I try that I get this error message:

          Error: PLAIN authentication failure [SMTP: Invalid response code received from server (code: 535, response: 5.7.8 Error: authentication failed:)]

          I have access to the email server. Here are the log messages on the email server when I try test with SSL enabled:

          Jan 24 18:29:00 mail postfix/submission/smtpd[4762]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled
          Jan 24 18:29:00 mail postfix/submission/smtpd[4762]: initializing the server-side TLS engine
          Jan 24 18:29:00 mail postfix/submission/smtpd[4762]: connect from hostname.comcast.net[xxx.xxx.xxx.xxx]
          Jan 24 18:29:00 mail postfix/submission/smtpd[4762]: lost connection after UNKNOWN from hostname.comcast.net[xxx.xxx.xxx.xxx]
          Jan 24 18:29:00 mail postfix/submission/smtpd[4762]: disconnect from hostname.comcast.net[xxx.xxx.xxx.xxx]

          It would be super helpful if these unknown errors would become known errors.

          GertjanG 1 Reply Last reply Reply Quote 0
          • provelsP
            provels
            last edited by

            For Comcast, I use:
            Screenshot_1.png

            Peder

            MAIN - pfSense+ 24.03-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
            BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

            1 Reply Last reply Reply Quote 1
            • GertjanG
              Gertjan @CarRamrod
              last edited by Gertjan

              @CarRamrod said in Email Notifications Setup Trouble:

              when I try test with SSL enabled

              Don't even try, it won't work, not with 'submission' or port 587.

              You use port 587, so this the the correct option :

              7212116a-d87b-494e-9de0-2c3f25cdab95-image.png

              Test for yourself :
              Fire up telnet on your PC :

              root@ns311465:~# telnet 127.0.0.1 587
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 ns311465.ip-188-165-201.eu ESMTP Postfix
EHLO me.test-domaine.fr
250-ns311465.ip-188-165-201.eu
250-PIPELINING
250-SIZE 31457280
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING

              edit : I tested on the mail server itself, and I've still a postfix submission listening locally (127.0.0.1)

              You know that telnet is the open and clear data connection, not 'SSL (TLS).
              You would be using a ssh connection if you were using SSL (TLS).

              Submision will be non encrypted at the start. When the connection opens, after :

              Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 ns311465.ip-188-165-201.eu ESMTP Postfix

              the mail client (or you, manually), pfSense, will emit a mail server capabilities request, it does so by announcing the EHLO with its own domain : I entered manually :

              EHLO me.test-domaine.fr

              The postfix mail server will answer with the capabilities :

              250-ns311465.ip-188-165-201.eu
250-PIPELINING
250-SIZE 31457280
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING

              The pfSense mail client will parse this list, and if it finds "STARTLS", it will emit this command.
              edit : see the
              From then on - and only at this moment - the connection with be switched from non-encrypted to SSL (TLS).

              Using SSL while opening the connection to the mail server's 587 port will produce an error.

              Btw : submission (port 587) is something of the past. There shouldn't be any "open and clear" connections anymore. I've disabled it no my postfix many years ago.
              You're using postfix - and you have probably domain names at your disposal.
              You should be using smtps, port 465, for your mail clients so the can drop a mail on the mail server. smtps is SSL (TLS) from byte zero.

              This is an entry in my /etc/postfix/master.cf :

              ...
mail.test-domaine.fr:smtps inet n - y    -       -       smtpd
    -o myhostname=mail.test-domaine.fr
    -o smtp_helo_name=mail.test-domaine.fr
    -o smtpd_tls_auth_only=yes
    -o smtpd_tls_security_level=encrypt
    -o smtpd_tls_wrappermode=yes
    -o smtpd_tls_cert_file=/etc/ssl/test-domaine.fr/test-domaine.fr.pem
    -o smtpd_tls_key_file=/etc/ssl/test-domaine.fr/test-domaine.fr.pem
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o content_filter=amavis:[127.0.0.1]:10026
    -o milter_macro_daemon_name=ORIGINATING
    -o smtpd_sasl_auth_enable=yes
...

              I actually rent the domain 'test-domaine.fr' and my postfix uses trusted (letsencrypt) certs so the connecting client can check that it is actually connected to test-domaine.fr and not some one else.

              My smtps is using "sasl", I'm using it with all my mail clients (Outlook 365, Phone mail apps etc).

              For pfSense, I'm not using my own mail server, I prefer to use a gmail account for notification events, as I would see a real time popups on my phone as soon as a pfSense arrives. These events (could) need immediate action.

              23df5613-bb02-4ffb-80c7-b9145b3bedef-image.png

              Gmail uses port 465 of course (they ditched 587 or submission years ago) so I have to check "Enable SMTP over SSL/TLS" as TLS as it is mandatory. See their mail instruction.
              I also check "Validate SSL/TLS" so the client (pfSense) will check the cert so it is sure that gmail == gmail before it continues.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              C 1 Reply Last reply Reply Quote 1
              • C
                CarRamrod @Gertjan
                last edited by

                @Gertjan Thank you for the detailed explanation!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post