PfSense 2.3.2 and email notifications

arginite

Upgraded to pfSense 2.3.2 and email notifications have stopped working.
Error in the log is

/system_advanced_notifications.php: Could not send the message to blah@blah.com – Error: could not connect to the host "172.xxx.xxx.6": ??

I have not changed the settings on the firewall or the mail server.

The settings used on the firewall look correct and I have checked the account used to send notifications is still enabled and the password still works.

I have found this bug https://redmine.pfsense.org/issues/5604, which could be related

The only thing I can think of that could be causing an issue is that our mail server requires an encrypted password rather than plain, I have tried the Login rather the Plain option on the notifications set up page but it made no difference.

Any suggestion on how to resolve this issue?

Disabling encrypted password for the user account is not an option with the mail server as it's a global option.

johnpoz

"Error: could not connect to the host "172.xxx.xxx.6": ??"

Doesn't seem like an auth issue, more like just can not even connect. Is this server outside or inside your network? Have you validated you can talk to this server from your pfsense box? Are you using fqdn in the notifications or IP? can you post up your notification settings.

For example see mine using gmail. And working just fine.

emailsettings.jpg_thumb

arginite

Mail server is inside the network, firewall can ping mail server from the ping page in pfSense.

PING 172.xxx.xxx.6 (172.xxx.xxx.6) from 172.xxx.xxx.250: 56 data bytes
64 bytes from 172.xxx.xxx.6: icmp_seq=0 ttl=128 time=0.283 ms
64 bytes from 172.xxx.xxx.6: icmp_seq=1 ttl=128 time=0.257 ms
64 bytes from 172.xxx.xxx.6: icmp_seq=2 ttl=128 time=0.333 ms

–- 172.xxx.xxx.6 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.257/0.291/0.333/0.032 ms

Have tried both IP and FDNQ, no difference.

All three email in the screen shot are the same and it's definitely working, have checked spam, etc.

pfsense.png_thumb

johnpoz

If your email server is inside the network, I assume your 172 is rfc1918 ie 172.16-31 why are you obfuscating it?

So you can ping it thats good.. Can you hit on 465? Why don't you test it with your openssl client and see what happens??

example..


[2.3.2-RELEASE][root@pfSense.local.lan]/root: openssl s_client -connect smtp.gmail.com:465
CONNECTED(00000004)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = smtp.gmail.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIITC5SWm6/x1AwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYwOTAxMTM0NTAwWhcNMTYxMTI0MTM0NTAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOc210
cC5nbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGamdn
T/x6Hj0GXicAIwtKhHVson1920lcW3ByPIE1ubxXBWQOONfkHVT+RKnaq4NKC2aT
d+e0fBPGaXPmgt09llF1113VSy/jhoaFE4hHoiPeeudDPt8YGSL+Ce+pp9zXR6L7
QwRRMBpYxOxL10hi1nHCDnqYBROpIPUilcCelnTO7tBLySQJ8qtzokiveZg1hMPY
CVZYTBFTVObQ/GCWVhmWR5V63WUIXDco8SrXtCFwd6wlqhJTN/NiWT1EhJRoF73x
YxQN6LxlqlYrNRKf47PhEk6W3isiXpFAN5NbhefAj4fYXkgP0gePky5cZlYmeO54
1Ipnb7S/Rk8n8raRAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOc210cC5nbWFpbC5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBTKpyClaxLZoImedINn7UZgS8OxUTAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEADxLJypSiV0DxqoLO
Hf5fex8Am3Ehtkq/PpLcRXgiqYYA+FmxTZh40Ns6XZJepIgDzKNSnR1zFvozpRRv
YY7Xid+IGleNy4yBaa9sz7NCiNdtqTxukgK31SX0yfh8sHqc6uHARv0PLzHsU14M
ja+8tK+3Myb1aJv72eKVQ491f+CPX03VsxK/+1k51OAHq/LAHv1ql9KJDVQC1osw
T3Ia2rYD+dg5v+BOR7zgWS5Z5aCCm2zaYQpmDmq/+DPkSRRC8ZlbZALKyk3kpB6C
98IwEOCgiCTaP/uIUnnR2miv+w07yublBp45jV5fcCZdkmFuMlqiAnQGZ59U6mwV
NQsZNA==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
---
SSL handshake has read 3727 bytes and written 417 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 14E429EF37274630608B620D24AC9554F896DBFE95204B031E715927A8CFE678
    Session-ID-ctx:
    Master-Key: 45E73165670AB874A35A87CCE798636515BCE7B5748D19BE6C6CCC87E8F3EB97DAB9378BE4605D8C1685EBD2243775E2
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 4c ec 6c cb 65 2b d7 e7-e5 5a 37 eb d7 99 df 25   L.l.e+...Z7....%
    0010 - ea 9a ca d0 dc be 1b 85-ad e2 a0 57 cd 37 49 33   ...........W.7I3
    0020 - 08 db 69 ac b2 d6 7a ce-9c 5c 6b 95 94 9f 91 36   ..i...z..\k....6
    0030 - 17 df 7c 75 32 b0 c2 b2-d2 73 4b c6 d7 92 5f dd   ..|u2....sK..._.
    0040 - db 24 44 4a ca d7 74 ae-b0 ed 37 80 7c ec 5a 9f   .$DJ..t...7.|.Z.
    0050 - 2b c8 cc 6a 0c 5d 04 41-7e 31 e2 48 43 8a 1a 3e   +..j.].A~1.HC..>
    0060 - c2 ab b1 11 ea 70 47 3b-b7 55 c1 e4 31 22 ba 55   .....pG;.U..1".U
    0070 - 80 1f 2a 68 3e b8 39 b2-3b 3d 81 56 f7 f1 37 dd   ..*h>.9.;=.V..7.
    0080 - 37 3a 0d 0b 45 62 87 35-38 9a 4d df fc bf 94 3e   7:..Eb.58.M....>
    0090 - 1b 4f bd 92 98 0e 8a 1d-a8 03 64 6c e7 dc 72 01   .O........dl..r.
    00a0 - ca ad 37 e2                                       ..7.

    Start Time: 1473260826
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
220 smtp.gmail.com ESMTP u76sm3184172ita.15 - gsmtp
helo test.test.com
250 smtp.gmail.com at your service

Then you can send your commands and see what you get back from your email server or that very min that it connects without any issues with the certs, etc.

If I had to make a wild guess if your using IP and not a fqdn, unless you setup SAN for that IP on your certs they are prob failing, etc. Are you using a self signed cert or public signed trusted CA?

dennypage

If the mail server is using a certificated signed by a private CA, then you will not be able to establish a TLS/SSL connection.

https://redmine.pfsense.org/issues/6687

NOYB

@dennypage:

If the mail server is using a certificated signed by a private CA, then you will not be able to establish a TLS/SSL connection.

https://redmine.pfsense.org/issues/6687

Or if the mail server is using a certificate signed by a CA that has been removed from /usr/local/share/certs/ca-root-nss.crt.

Such as this one: https://forum.pfsense.org/index.php?topic=115884.msg644711#msg644711

The Full Thread:
SSL/TLS Option Breaks My SMTP Notifications
https://forum.pfsense.org/index.php?topic=115884.0

arginite

@johnpoz:

If your email server is inside the network, I assume your 172 is rfc1918 ie 172.16-31 why are you obfuscating it?

Force of habit I'm.

Issue is solved read the thread posted by dennypage.
Disabled SSL and notifications are now working again.

Thanks for all the help