Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense 2.3.2 and email notifications

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 4 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      arginite
      last edited by

      Upgraded to pfSense 2.3.2 and email notifications have stopped working.
      Error in the log is

      /system_advanced_notifications.php: Could not send the message to blah@blah.com – Error: could not connect to the host "172.xxx.xxx.6": ??

      I have not changed the settings on the firewall or the mail server.

      The settings used on the firewall look correct and I have checked the account used to send notifications is still enabled and the password still works.

      I have found this bug https://redmine.pfsense.org/issues/5604, which could be related

      The only thing I can think of that could be causing an issue is that our mail server requires an encrypted password rather than plain, I have tried the Login rather the Plain option on the notifications set up page but it made no difference.

      Any suggestion on how to resolve this issue?

      Disabling encrypted password for the user account is not an option with the mail server as it's a global option.

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by

        "Error: could not connect to the host "172.xxx.xxx.6": ??"

        Doesn't seem like an auth issue, more like just can not even connect.  Is this server outside or inside your network? Have you validated you can talk to this server from your pfsense box?  Are you using fqdn in the notifications or IP?  can you post up your notification settings.

        For example see mine using gmail.  And working just fine.

        emailsettings.jpg
        emailsettings.jpg_thumb

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • A Offline
          arginite
          last edited by

          Mail server is inside the network, firewall can ping mail server from the ping page in pfSense.

          PING 172.xxx.xxx.6 (172.xxx.xxx.6) from 172.xxx.xxx.250: 56 data bytes
          64 bytes from 172.xxx.xxx.6: icmp_seq=0 ttl=128 time=0.283 ms
          64 bytes from 172.xxx.xxx.6: icmp_seq=1 ttl=128 time=0.257 ms
          64 bytes from 172.xxx.xxx.6: icmp_seq=2 ttl=128 time=0.333 ms

          –- 172.xxx.xxx.6 ping statistics ---
          3 packets transmitted, 3 packets received, 0.0% packet loss
          round-trip min/avg/max/stddev = 0.257/0.291/0.333/0.032 ms

          Have tried both IP and FDNQ, no difference.

          All three email in the screen shot are the same and it's definitely working, have checked spam, etc.

          pfsense.png
          pfsense.png_thumb

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by

            If your email server is inside the network, I assume your 172 is rfc1918 ie 172.16-31 why are you obfuscating it?

            So you can ping it thats good.. Can you hit on 465?  Why don't you test it with your openssl client and see what happens??

            example..

            
            [2.3.2-RELEASE][root@pfSense.local.lan]/root: openssl s_client -connect smtp.gmail.com:465
            CONNECTED(00000004)
            depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
            verify return:1
            depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
            verify return:1
            depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
            verify return:1
            depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = smtp.gmail.com
            verify return:1
            ---
            Certificate chain
             0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
               i:/C=US/O=Google Inc/CN=Google Internet Authority G2
             1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
               i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
             2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
               i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
            ---
            Server certificate
            -----BEGIN CERTIFICATE-----
            MIIEgDCCA2igAwIBAgIITC5SWm6/x1AwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
            BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
            cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYwOTAxMTM0NTAwWhcNMTYxMTI0MTM0NTAw
            WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
            TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOc210
            cC5nbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGamdn
            T/x6Hj0GXicAIwtKhHVson1920lcW3ByPIE1ubxXBWQOONfkHVT+RKnaq4NKC2aT
            d+e0fBPGaXPmgt09llF1113VSy/jhoaFE4hHoiPeeudDPt8YGSL+Ce+pp9zXR6L7
            QwRRMBpYxOxL10hi1nHCDnqYBROpIPUilcCelnTO7tBLySQJ8qtzokiveZg1hMPY
            CVZYTBFTVObQ/GCWVhmWR5V63WUIXDco8SrXtCFwd6wlqhJTN/NiWT1EhJRoF73x
            YxQN6LxlqlYrNRKf47PhEk6W3isiXpFAN5NbhefAj4fYXkgP0gePky5cZlYmeO54
            1Ipnb7S/Rk8n8raRAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
            KwYBBQUHAwIwGQYDVR0RBBIwEIIOc210cC5nbWFpbC5jb20waAYIKwYBBQUHAQEE
            XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
            MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
            A1UdDgQWBBTKpyClaxLZoImedINn7UZgS8OxUTAMBgNVHRMBAf8EAjAAMB8GA1Ud
            IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
            eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
            bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEADxLJypSiV0DxqoLO
            Hf5fex8Am3Ehtkq/PpLcRXgiqYYA+FmxTZh40Ns6XZJepIgDzKNSnR1zFvozpRRv
            YY7Xid+IGleNy4yBaa9sz7NCiNdtqTxukgK31SX0yfh8sHqc6uHARv0PLzHsU14M
            ja+8tK+3Myb1aJv72eKVQ491f+CPX03VsxK/+1k51OAHq/LAHv1ql9KJDVQC1osw
            T3Ia2rYD+dg5v+BOR7zgWS5Z5aCCm2zaYQpmDmq/+DPkSRRC8ZlbZALKyk3kpB6C
            98IwEOCgiCTaP/uIUnnR2miv+w07yublBp45jV5fcCZdkmFuMlqiAnQGZ59U6mwV
            NQsZNA==
            -----END CERTIFICATE-----
            subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
            issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
            ---
            No client certificate CA names sent
            ---
            SSL handshake has read 3727 bytes and written 417 bytes
            ---
            New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
            Server public key is 2048 bit
            Secure Renegotiation IS supported
            Compression: NONE
            Expansion: NONE
            SSL-Session:
                Protocol  : TLSv1.2
                Cipher    : ECDHE-RSA-AES128-GCM-SHA256
                Session-ID: 14E429EF37274630608B620D24AC9554F896DBFE95204B031E715927A8CFE678
                Session-ID-ctx:
                Master-Key: 45E73165670AB874A35A87CCE798636515BCE7B5748D19BE6C6CCC87E8F3EB97DAB9378BE4605D8C1685EBD2243775E2
                Key-Arg   : None
                PSK identity: None
                PSK identity hint: None
                SRP username: None
                TLS session ticket lifetime hint: 100800 (seconds)
                TLS session ticket:
                0000 - 4c ec 6c cb 65 2b d7 e7-e5 5a 37 eb d7 99 df 25   L.l.e+...Z7....%
                0010 - ea 9a ca d0 dc be 1b 85-ad e2 a0 57 cd 37 49 33   ...........W.7I3
                0020 - 08 db 69 ac b2 d6 7a ce-9c 5c 6b 95 94 9f 91 36   ..i...z..\k....6
                0030 - 17 df 7c 75 32 b0 c2 b2-d2 73 4b c6 d7 92 5f dd   ..|u2....sK..._.
                0040 - db 24 44 4a ca d7 74 ae-b0 ed 37 80 7c ec 5a 9f   .$DJ..t...7.|.Z.
                0050 - 2b c8 cc 6a 0c 5d 04 41-7e 31 e2 48 43 8a 1a 3e   +..j.].A~1.HC..>
                0060 - c2 ab b1 11 ea 70 47 3b-b7 55 c1 e4 31 22 ba 55   .....pG;.U..1".U
                0070 - 80 1f 2a 68 3e b8 39 b2-3b 3d 81 56 f7 f1 37 dd   ..*h>.9.;=.V..7.
                0080 - 37 3a 0d 0b 45 62 87 35-38 9a 4d df fc bf 94 3e   7:..Eb.58.M....>
                0090 - 1b 4f bd 92 98 0e 8a 1d-a8 03 64 6c e7 dc 72 01   .O........dl..r.
                00a0 - ca ad 37 e2                                       ..7.
            
                Start Time: 1473260826
                Timeout   : 300 (sec)
                Verify return code: 0 (ok)
            ---
            220 smtp.gmail.com ESMTP u76sm3184172ita.15 - gsmtp
            helo test.test.com
            250 smtp.gmail.com at your service
            
            

            Then you can send your commands and see what you get back from your email server or that very min that it connects without any issues with the certs, etc.

            If I had to make a wild guess if your using IP and not a fqdn, unless you setup SAN for that IP on your certs they are prob failing, etc.  Are you using a self signed cert or public signed trusted CA?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • dennypageD Offline
              dennypage
              last edited by

              If the mail server is using a certificated signed by a private CA, then you will not be able to establish a TLS/SSL connection.

              https://redmine.pfsense.org/issues/6687

              1 Reply Last reply Reply Quote 0
              • N Offline
                NOYB
                last edited by

                @dennypage:

                If the mail server is using a certificated signed by a private CA, then you will not be able to establish a TLS/SSL connection.

                https://redmine.pfsense.org/issues/6687

                Or if the mail server is using a certificate signed by a CA that has been removed from /usr/local/share/certs/ca-root-nss.crt.

                Such as this one: https://forum.pfsense.org/index.php?topic=115884.msg644711#msg644711

                The Full Thread:
                SSL/TLS Option Breaks My SMTP Notifications
                https://forum.pfsense.org/index.php?topic=115884.0

                1 Reply Last reply Reply Quote 0
                • A Offline
                  arginite
                  last edited by

                  @johnpoz:

                  If your email server is inside the network, I assume your 172 is rfc1918 ie 172.16-31 why are you obfuscating it?

                  Force of habit I'm.

                  Issue is solved read the thread posted by dennypage.
                  Disabled SSL and notifications are now working again.

                  Thanks for all the help

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.