Outgoing Mail
-
Don't know if there is a fix for this one or not, but what I'm trying to do is a work around for consumer hardware that has a very simple email alert system that uses port 25 and sends everything in clear text. Clearly a recipe for disaster.
I was wondering if there is a way of having pfsense act like a proxy, take the traffic off the LAN on port 25 and send it out TLS on the appropriate port. If necessary, it would be fine to change the sender address to something that was configured within pfSense.
Can this be done? If so, how? Thanks.
-
Hikvision camera by any chance?
I setup a dedicated Ubuntu server virtual machine running postfix on my internal network to act as a mail relay. It accepts connections on port 25 and sends to gmail via port 587 over TLS so that I can receive email alerts via gmail. Not that hard to do and there are various tutorials online. I can share my postfix config if interested.
I used the following as a guide: https://www.howtoforge.com/tutorial/configure-postfix-to-use-gmail-as-a-mail-relay/
-
It looks like there is a postfix package coming to 2.3, so should be able to do what you are looking for if you don't want to use a different machine.
https://github.com/pfsense/FreeBSD-ports/pull/23
-
It looks like there is a postfix package coming to 2.3, so should be able to do what you are looking for if you don't want to use a different machine.
https://github.com/pfsense/FreeBSD-ports/pull/23
Unless someone comes up with a better solution, I guess I'll have to wait and give it a shot then. Don't really want to depend on another box. If I'm on holiday, the only thing on will likely be the modem, pfsense and any cameras or IoT monitoring devices.
You are right about a camera, but a different brand… I've played with several, and they pretty much all have mickey mouse mailing systems and questionable security. I would never expose one to the internet unless I had a protective VPN/firewall in front of it to keep it from getting hacked over. To be honest, I'm not really sure I trust the manufacturer (China) either.
-
Don't really want to depend on another box.
Some things - like MTAs - don't really belong on a firewall.
-
Some things - like MTAs - don't really belong on a firewall.
Sure and do agree on this but then quite a lot of packages like HTTP proxy should be removed or ignored.
I do share that firewall should, most of the time act firewall only but in some cases, the "all-in-one" concept has some added value, one being to aggregate in one box with one unified graphic interface multiple infrastructure services required for SoHo or even SMB.Should pfSense act as such all-in-one box?
That where pfSense communication and strategy, to me, is not that clear. -
I also agree, but some packages, like HA Proxy, might exist so pfSense can function as a proxy OR a firewall. Not necessarily a proxy AND a firewall.
That is just an example. HA proxy generally runs fine on the firewall though it could certainly be argued it is not the best place for it.
Just because the packages exist doesn't mean they can all be run at the same time on the same node without issues.