SMTP notifications can't connect

ohmantics

I have two sites (main and satellite) connected via a Wireguard tunnel. I'm running FRR BGP and the routes all look fine. I can connect to both sides properly from either side, etc. Everything generally works.

On the satellite site, I've just tried to setup SMTP notifications and am getting errors that it can't connect to our SMTP server. I can connect to it just fine from the shell.

The split DNS config I have setup will resolve the mail server FQDN if the tunnel is up or down and neither resolution causes connectivity to work.

The default gateway is set to Automatic, but setting it to the WAN doesn't resolve it.

If some firewall rule is relevant, I'm not sure which set of rules apply to the SMTP notification process; I'm not seeing any blocks logged, but I don't have logging on for the default block on every interface (not trying to kill SSDs fast). The tunnel has an allow any-to-any rule and nothing is blocked outbound on the WAN.

ohmantics

Oh look, the "Validate the SSL/TLS certificate presented by the server" checkbox doesn't seem to actually disable validation. (Yes, I'm using a self-signed certificate. Not debating that here.) I've tried adding the CA and certificate via the Certificates UI with the CA going into the system trust store.

It's connecting to the SMTP server from the tunnel address, which doesn't have a PTR record, so that also fails some of my postfix config's checks. PTR lookups aren't resolving between the two sites. Not quite sure how to do that -- I use the Forwarder.

stephenw10

So its throwing an error trying to connect to the server? What are you actually seeing?

ohmantics

@stephenw10

Could not send the message to root@example.com -- Error: Failed to connect to ssl://example.com:587 [SMTP: Failed to connect socket: stream_socket_client(): Unable to connect to ssl://example.com:587 (Unknown error) (code: -1, response: )]

Submission is set to require TLS and it's failing and not seeming to be taking the CA/certs I added.

Could not send the message to root@example.com -- Error: Failed to add recipient: root@example.com [SMTP: Invalid response code received from server (code: 450, response: 4.7.1 Client host rejected: cannot find your reverse hostname, [10.254.0.1])]

This is because there's no PTR for the far side of the tunnel between the sites and the dnsmasq setup is currently just domain override-based.

Gertjan

@ohmantics said in SMTP notifications can't connect:

ould not send the message to root@example.com -- Error: Failed to connect to ssl://example.com:587 [SMTP: Failed to connect socket: stream_socket_client(): Unable to connect to ssl://example.com:587 (Unknown error) (code: -1, response: )]

Submission is set to require TLS and it's failing and not seeming to be taking the CA/certs I added.

Submission, smtp using port 587 with authentification, is a clear connection in the beginning :

[25.07.1-RELEASE][root@pfSense.bhf.tld]/root: telnet mail.bhf.tld 587
Trying 2001:41d0:dead:beef::3...
Connected to mail.bhf.tld.
Escape character is '^]'.
220 mail.bhf.tld ESMTP Postfix
EHLO itsme
250-mail.bhf.tld
250-PIPELINING
250-SIZE 31457280
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
...

as this (my) server supports submission with STARTTLS, pfSense sends a STARTTLS command (after the initial "EHLO itsme" command which will trigger the mail server to show its capabilities).
After STARTTLS is send, both sides switch over to TLS.
That is, if the mail server is set up to deal with TLS.

@ohmantics said in SMTP notifications can't connect:

code: 450, response: 4.7.1 Client host rejected: cannot find your reverse hostname, [10.254.0.1])

The IP the mail server sees is a RFC1918 IP. That's suspected.
You have a choice : disable the test that make the connection fail if no valid reverse can be found.
Or :

@ohmantics said in SMTP notifications can't connect:

It's connecting to the SMTP server from the tunnel address, which doesn't have a PTR record

so, tel the DNS that the mail server is using who "10.254.0.1" is (create a revers for it on its DNS).
Talking to a mail server with an IP that doesn't use a PTR (a reverse name) is considered very rude ^^

If you don't have issues with the usage of a gmail, this is easy to set up, you'll get a real time notification on your phone for free :

as the traffic is TLS "from bit zero" (port 465 = pure TLS) you don't need to tunnel it, it's already encrypted.