System/Advanced/Notifications/Email ... "Test SMTP Settings" - no emails
-
Not really. I've never tried to send email over VPN though. But I would expect it to work as long as the system route to the email server is via the VPN gateway.
-
-
@reberhar Hi Steve,
So I have chased this problem and have found some helpful information, at least for me.
The network administrator before me setup individual OpenVPN site to site server tunnels for every remote connection. This was with shared certificates. There were 4 servers. Everything worked fine with the Email from the servers. Each route was unique with unique port numbers.
Enter the deprecation of shared certificates in OPEN VPN in pfSense and the threat of and update that would not include my install. We were directed to change to TLS.
So I reseached how to make the change and decided to use only one server which works fine execpt for this one glitch, of which I was unaware.
Open VPN does not keep multiple localhost connections alive. If I restart the openvpn the localhost works on whatever server sends mail first. As soon as a different remote unit sends mail, the first connection is lost until another openvpn restart.
It does not treat the same problem but something related.
Since I don't want to create 3 more openvpn servers I am going to switch to an external email server.
-
Hmm, well that second link seems quite clear but I don't think it applies to your situation. You're not trying to access services across the tunnel.
The first link is less clear. It seems to imply that OpenVPN takes traffic destined for localhost on the same box. And that if it fails the localhost traffic also fails. Which applies to you when trying to send an email to the sendmail service. But I'm not sure how that would affect different clients differently...
-
@stephenw10 Hi Steve,
No, neither one applies directly. The second one especially. It just showed that someone tried to fix a similar problem on Linux.
What is clear is that OpenVPN treats Localhost differently than a standard ipv4 or ipv6 number.
Of course that IP number is always the same no matter what machine. So localhost is a separate case. it was never meant to be an endpoint from outside the machine ... if I really understand its function correctly.
I will delete the second link.
-
Hmm, wait are you saying that when you set the clients to route all traffic over the VPN that grabs localhost traffic somehow? But it still works as long as the tunnel stays up?
That wouldn't apply to the server end if so. Maybe I've misread that....
-
@stephenw10 Hi Steve,
The post I include shows how Openvpn changes the BSD routing table. I still have to look at mine again and compare them.
I am however, reticent, to tweak the system at this level. Persistence is certain to be a problem.
As I type this, I guess what I really need to do is dive into the BSD documentation and just learn this stuff.
One thing is certain, OpenVpn does not necessarily maintain a stable dependable connection at the Localhost level.
This seems obvious.
Roy
-
@stephenw10 Only the pfSense email connection drops.
I have an email server internally.
-
Yeah, it seems likely there is is something more subtle at work here because it would break a lot of other things if localhost became completely inaccessible.
-
@stephenw10 Truly.
The routing table in BSD is sending the email query to the OpenVPN gateway address.
The next place to look is in OpenVPN, then the email server.
Now to try to find time to figure out what is happening in OpenVPN.
I wish there was a way to send these messages through the LAN interface. Then there would be a unique IP arriving at the email server. Making LAN a gateway creates a potential infinite loop.
Here is part of the Dovecot log. I wish it had more information.
My wife says that I am "too persistent." Maybe I just need to take the easy way around this obscure problem and just delete this post. Nuts, I like clean resolutions.
Dec 11 01:33:16 catalina-sme dovecot: imap-login: Login: user=<roy>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=18233, secured, session=<0aj3cvoosop/AAAB>
Dec 11 01:33:16 catalina-sme dovecot: imap(roy): Connection closed (No commands sent) in=0 out=360
Dec 11 12:01:06 catalina-sme dovecot: imap-login: Login: user=<roy>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=19902, secured, session=<upJDOAMpuox/AAAB>
Dec 11 12:01:06 catalina-sme dovecot: imap(roy): Connection closed (No commands sent) in=0 out=360The ne is in OpenVPN.
Dec 11 12:01:39 catalina-sme dovecot: imap-login: Login: user=<roy>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=19912, secured, session=<8vo8OgMpvIx/AAAB>
Dec 11 12:01:39 catalina-sme dovecot: imap(roy): Connection closed (No commands sent) in=0 out=360
Dec 11 12:03:51 catalina-sme dovecot: imap-login: Login: user=<roy>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=19924, secured, session=<DNsjQgMpvox/AAAB>
Dec 11 12:03:51 catalina-sme dovecot: imap(roy): Connection closed (No commands sent) in=0 out=360
Dec 11 12:05:00 catalina-sme dovecot: imap-login: Login: user=<roy>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=19935, secured, session=<U/48RgMpwIx/AAAB>
Dec 11 12:05:00 catalina-sme dovecot: imap(roy): Connection closed (No commands sent) in=0 out=360
Dec 11 12:05:49 catalina-sme dovecot: imap-login: Login: user=<roy>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=19951, secured, session=<bq0lSQMpxox/AAAB>
Dec 11 12:05:49 catalina-sme dovecot: imap(roy): Connection closed (No commands sent) in=0 out=360
Dec 11 12:06:46 catalina-sme dovecot: imap-login: Login: user=<roy>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=19963, secured, session=<PbSPTAMpyIx/AAAB>
Dec 11 12:06:46 catalina-sme dovecot: imap(roy): Connection closed (No commands sent) in=0 out=360
Dec 12 01:33:09 catalina-sme dovecot: imap-login: Login: user=<roy>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=21469, secured, session=<pvRokA4pUo9/AAAB>
Dec 12 01:33:09 catalina-sme dovecot: imap(roy): Connection closed (No commands sent) in=0 out=360 -
This post is deleted! -
Hmm, that's from a local smtp server?
-
@stephenw10 Yeah, from the email server. So I looked at the BSD side of things. Looks like pfSense might be writing a script and connecting by the commandline with the info from the GUI, like using SMTP.
I haven't chased i down to the actual code.
So this is something I don't think there is a solution for easily.
If I fuss with it I might be able to tweak the system somehow, but it is a bad idea. It would go away with an update.
-
Hmm, well I always think more info is better even if it documents a failure.
-
@stephenw10 I guess I was probing to see if you wanted me to leave it in the forum.
I thought of writing a patch, but I am unsure if that is the right thing to do.
Roy
-
Hmm, those logs have me confused though. You have an internal email server and that's still failing?
-
Why are you showing imap connections :
@reberhar said in System/Advanced/Notifications/Email ... "Test SMTP Settings" - no emails:
xxxx-sme dovecot: imap-login: Login:
while the issue is smtp ?
-
@Gertjan Hi Gerjan,
Well the Dovecot log is what was offered. I watched it populate these entries as I did the testing. This entries correspond to the pfSense servers attempts to send email to SME. I think this log is the BSD SMTP client logging onto the SME SMTP server and not the IMAP.
The IMAP IP would not be localhost, 127.0.0.1. I can make an IMAP test if you like, but there have been no IMAP logins to "roy" during the time these dates cover. Why it says IMAP, I have no idea. What's more I never use the "roy" account to fetch mail, but only to login to send mail from pfSense notifications.
My take on this problem is that the pfSense smtp client successfully connects to the SME SMTP mail server, but the return route is to the latest server to connect sucessfully and so not necessarily the right one to return to. So really the SME SMTP side might be sending the response to the wrong place.
After all, if I understand correctly, my routing table has the Open VPN address of 56.0.0.1 with a port of 11000 for me and then the localhost number from the sending pfSense unit. Then it should have the correct OpenVPN client as the target. There is not a place to take care of 9 different servers with the same IP at the same port. All the pfsense Notification servers are using 465 as well.
When I was running multiple OpenVPN servers, one for each client site, this problem was disambiguated by each server having a different IP and port number. Easy cheesy, but cumbersome.
Of course I am willing to be wrong and want to be informed of where I am mistaken. I like to understand better.
Thanks Gertjan
-
@reberhar I have 4 pairs of HA/CARP pfSense units and 1 stand alone.
9 pfSense units, plus other servers at these locations that occasionally send logs in this manner.
