Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SSL/TLS Option Breaks My SMTP Notifications

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    27 Posts 4 Posters 11.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ghostshellG
      ghostshell
      last edited by

      I have not changed my security settings on my mail server prior to 2.3 and have left the same settings in pfSense since I set them up and now if I use leave the SSL/TLS option checked notifications do not send, if I uncheck and use PLAIN or LOGIN auth it works just fine. Using either auth with SSL/TLS checked it does not send the test email. These are the errors I get from my mail server logs during sending a test email from pfSense.

      Jul 27 20:43:52 smtpd: > 502 5.5.2 Error: command not recognized
      Jul 27 20:43:52 smtpd: < :
      Jul 27 20:43:52 smtpd: > 500 5.5.2 Error: bad syntax
      Jul 27 20:43:52 smtpd: < :
      Jul 27 20:43:52 smtpd: > 500 5.5.2 Error: bad syntax
      Jul 27 20:43:52 smtpd: < :
      Jul 27 20:43:52 smtpd: > 500 5.5.2 Error: bad syntax

      I have tried a few fixes I have found on the forums such as making sure the sending address and the login account are the same and I have tried that. It does not look like in the log that sending to a GMail address is the issue, but something that changed with pfSense connecting to the mail server over SSL/TLS.

      I use postfix so if anyone has a working config while using the SSL/TLS options for notifications and would share I would appreciate it.

      1 Reply Last reply Reply Quote 0
      • N
        NOYB
        last edited by

        Mine works.  Postoffice is postfix with submission port 587.  pfSense is config for port 587 (submission) and enable starttls (not smtp over SSL/TLS) & notification email auth mechanism plain.

        1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan
          last edited by

          Mine works also.
          Postfix (of course  ;)) - port 465 - Secure SMTP Connection CHECKed : Enable SMTP over SSL/TLS

          Btw  : when 'mail' doesn't work, use the logs to see what's up :
          Jul 28 08:42:02 ns311465 brit-hotel-fumel.fr-smtps/smtpd[18310]: connect from Nowwhat-1-pt.tunnel.tserv10.par1.ipv6.he.net[2001:470:1f12:5c0::2]
          Jul 28 08:42:02 ns311465 brit-hotel-fumel.fr-smtps/smtpd[18310]: Anonymous TLS connection established from nowwhat-1-pt.tunnel.tserv10.par1.ipv6.he.net[2001:470:1f12:5c0::2]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
          Jul 28 08:42:02 ns311465 brit-hotel-fumel.fr-smtps/smtpd[18310]: EC1B663E0A57: client=Nowwhat-1-pt.tunnel.tserv10.par1.ipv6.he.net[2001:470:1f12:5c0::2], sasl_method=PLAIN, sasl_username=me@my-domaine.tld
          Jul 28 08:42:03 ns311465 postfix/cleanup[18359]: EC1B663E0A57: message-id=<>
          Jul 28 08:42:03 ns311465 postfix/qmgr[5144]: EC1B663E0A57: from=pfsense@work.tld, size=628, nrcpt=1 (queue active)
          Jul 28 08:42:03 ns311465 brit-hotel-fumel.fr-smtps/smtpd[18310]: disconnect from Nowwhat-1-pt.tunnel.tserv10.par1.ipv6.he.net[2001:470:1f12:5c0::2]
          Jul 28 08:42:04 ns311465 amavis/smtpd[18364]: 98BA163E1210: client=localhost.localdomain[127.0.0.1]
          Jul 28 08:42:04 ns311465 postfix/cleanup[18359]: 98BA163E1210: message-id=20160728064204.98BA163E1210@ns311465.ip-188-165-201.eu
          Jul 28 08:42:04 ns311465 postfix/qmgr[5144]: 98BA163E1210: from=pfsense@work.tld, size=1432, nrcpt=1 (queue active)
          Jul 28 08:42:04 ns311465 postfix/smtp[18360]: EC1B663E0A57: to=me@my-domaine.tld, relay=127.0.0.1[127.0.0.1]:10026, delay=1.8, delays=0.33/0.01/0/1.5, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 98BA163E1210)
          Jul 28 08:42:04 ns311465 postfix/qmgr[5144]: EC1B663E0A57: removed
          Jul 28 08:42:04 ns311465 postfix/virtual[18365]: 98BA163E1210: to=me@my-domaine.tld, relay=virtual, delay=0.13, delays=0.04/0.01/0/0.08, dsn=2.0.0, status=sent (delivered to maildir)
          Jul 28 08:42:04 ns311465 postfix/qmgr[5144]: 98BA163E1210: removed/me@my-domaine.tld/me@my-domaine.tld/pfsense@work.tld/pfsense@work.tld

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 0
          • ghostshellG
            ghostshell
            last edited by

            So I did go back and enable 465, these are the first errors that show in the logs

            Jul 27 20:43:52 smtpd: > 502 5.5.2 Error: command not recognized
            Jul 27 20:43:52 smtpd: < :
            Jul 27 20:43:52 smtpd: > 500 5.5.2 Error: bad syntax
            Jul 27 20:43:52 smtpd: < :
            Jul 27 20:43:52 smtpd: > 500 5.5.2 Error: bad syntax
            Jul 27 20:43:52 smtpd: < :
            Jul 27 20:43:52 smtpd: > 500 5.5.2 Error: bad syntax

            Then all I get is these 2 entries then nothing relating to sending that mail

            Jul 28 21:33:29 www postfix/smtpd[19510]: lost connection after CONNECT from unknown[192.168.1.1]
            Jul 28 21:33:29 www postfix/smtpd[19510]: disconnect from unknown[192.168.1.1]

            Then if enabling STARTTLS I get something close to the above but slightly different

            Jul 28 21:35:12 www postfix/smtpd[31503]: lost connection after STARTTLS from unknown[192.168.1.1]
            Jul 28 21:35:12 www postfix/smtpd[31503]: disconnect from unknown[192.168.1.1]

            1 Reply Last reply Reply Quote 0
            • ghostshellG
              ghostshell
              last edited by

              If you could post a good secure as possible .cf I think its one of my settings, but I have not changed them recently

              1 Reply Last reply Reply Quote 0
              • ghostshellG
                ghostshell
                last edited by

                in the postfix master.cnf does it matter what order the lines are in like it matters with firewall rules?

                1 Reply Last reply Reply Quote 0
                • GertjanG
                  Gertjan
                  last edited by

                  This :
                  @ghostshell:

                  Jul 28 21:33:29 www postfix/smtpd[19510]: lost connection after CONNECT from unknown[192.168.1.1]
                  Jul 28 21:33:29 www postfix/smtpd[19510]: disconnect from unknown[192.168.1.1]

                  can't be possible.

                  Where is (who is) your mail server ?
                  Your connecting with your LAN IP ….. added to that : an IP without a "reverse DNS" : a postfix mail server will never accept that. That's like sending a letter by the post without a stamp.

                  You saw my example ?

                  Jul 28 08:42:02 ns311465 brit-hotel-fumel.fr-smtps/smtpd[18310]: connect from Nowwhat-1-pt.tunnel.tserv10.par1.ipv6.he.net[2001:470:1f12:5c0::2[/code]
                  My pfSense uses a public IP (WAN IP) (IPv6 in this case) to send a mail to my mail server, some where on the internet.
                  
                  I'm not saying you can't use a LAN IP, but in that case your mail server would (should) be on your LAN (the 192.168.1.1).
                  Or you have a very strange network setup .... and we don't know nothing about your setup.
                  
                  So : it's normal that your notification mail doesn't work.
                  

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  1 Reply Last reply Reply Quote 0
                  • dennypageD
                    dennypage
                    last edited by

                    This isn't a error unless specifically configure to be. By default, postfix does not require reverse DNS. There are postfix detectives that control how this works–see reject_unknown_client_hostname and reject_unknown_reverse_client_hostname.

                    It would appear that the poster's Postfix server is on his local network, so it makes sense that it would connect using the LAN IP. If he were using a public mail service it is unlikely he would be able to offer the log file entries.

                    @Gertjan:

                    Your connecting with your LAN IP ….. added to that : an IP without a "reverse DNS" : a postfix mail server will never accept that. That's like sending a letter by the post without a stamp.

                    1 Reply Last reply Reply Quote 0
                    • ghostshellG
                      ghostshell
                      last edited by

                      pfsense LAN 1 = 192.168.0/24
                      mail server on LAN 1

                      Where I am at for the moment is this if this helps at all.

                      No SSL/TLS or STARTTLS checked with the current settings notifications work.

                      I was using the same settings for a long time and noticed that the last alert I got was back on Feb 6th, nothing since then until unchecking SSL/TLS.

                      I turned on submission and that broke some things so I turned it back off.

                      I try port 465 by enabling it in master.cf and I get the errors I posted in my OP.

                      I read to enable tls_wrapper, but when testing I do not get the test email still

                      Mail clients on IOS, my computer, etc… are using TLS just fine.

                      Issue only happens when using SSL/TLS option in the pfsense notification settings.

                      1 Reply Last reply Reply Quote 0
                      • N
                        NOYB
                        last edited by

                        Certificate trust issue?

                        1 Reply Last reply Reply Quote 0
                        • ghostshellG
                          ghostshell
                          last edited by

                          I dont think so as I have a storage server that has a notification screen that looks just like the pfsense screen except no STARTTLS option and using the options that do not work for pfsense work for that server as in

                          mail server local IP
                          port 465
                          SSL/TLS
                          login
                          from same as login
                          to address

                          it is using a different login, but everything else is the same

                          1 Reply Last reply Reply Quote 0
                          • ghostshellG
                            ghostshell
                            last edited by

                            By the way thank you all for helping me try to figure this out

                            soon I may give up and just not use SSL/TLS to secure the connection since its only internal and not an external connection

                            1 Reply Last reply Reply Quote 0
                            • N
                              NOYB
                              last edited by

                              @ghostshell:

                              I dont think so as I have a storage server that has a notification screen that looks just like the pfsense screen except no STARTTLS option and using the options that do not work for pfsense work for that server as in

                              mail server local IP
                              port 465
                              SSL/TLS
                              login
                              from same as login
                              to address

                              it is using a different login, but everything else is the same

                              Just because some other system trusts the certificate doesn't mean pfSense does.

                              1 Reply Last reply Reply Quote 0
                              • GertjanG
                                Gertjan
                                last edited by

                                If your mail server is on your LAN, and you trust other devices on the same LAN, you should be fine using a non-TLS/SSL (465) and/or submission (587).
                                Just send to the "25" port.
                                Of course, all the rest will be a pure postfix-setup-issue.

                                No "help me" PM's please. Use the forum, the community will thank you.
                                Edit : and where are the logs ??

                                1 Reply Last reply Reply Quote 0
                                • ghostshellG
                                  ghostshell
                                  last edited by

                                  I deleted and re-added my email accounts on mt ipad and was able to use TLS on those devices successfully.

                                  I am trying to check the cert to make sure that is not it, anyone know the quickest way to test the cert postfix is using?

                                  My imap-ssl is not showing any issues with the cert it uses.

                                  Also getting some new log info when testing settings last night, will post when I start testing again.

                                  1 Reply Last reply Reply Quote 0
                                  • ghostshellG
                                    ghostshell
                                    last edited by

                                    Using http://www.checktls.com/ it seems to show the cert is validated and OK and was able to use TLS 1.2 successfully for the connection.

                                    Master.cf

                                    smtp      inet  n      -      n      -      -      smtpd -v

                                    submission inet n      -      n      -      -      smtpd -v
                                      -o smtpd_tls_security_level=encrypt
                                    #  -o smtpd_tls_security_level=may
                                    #  -o smtpd_sasl_auth_enable=yes
                                    #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
                                    #  -o milter_macro_daemon_name=ORIGINATING
                                    smtps    inet  n      -      n      -      -      smtpd -v
                                      -o smtpd_tls_wrappermode=yes
                                    #  -o smtpd_sasl_auth_enable=yes
                                    #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
                                    #  -o milter_macro_daemon_name=ORIGINATING

                                    Using 25 or 465 with no SSL/TLS or STARTTLS option checked works

                                    1 Reply Last reply Reply Quote 0
                                    • N
                                      NOYB
                                      last edited by

                                      It doesn't matter what any thing else thinks of the cert.  pfSense has to trust it.

                                      1 Reply Last reply Reply Quote 0
                                      • ghostshellG
                                        ghostshell
                                        last edited by

                                        @NOYB:

                                        It doesn't matter what any thing else thinks of the cert.  pfSense has to trust it.

                                        Ok, then how will I know as the cert and postfix settings have not changed since my last alert email, i see nothing in the logs showing cert issues with pfsense 192.168.1.1

                                        pfsense logs show this error over and over

                                        php-fpm /system_advanced_notifications.php: Could not send the message to gmail.com – Error: could not start TLS connection encryption protocol

                                        1 Reply Last reply Reply Quote 0
                                        • N
                                          NOYB
                                          last edited by

                                          The two places I know of for the CA to be located in pfSense are:

                                          1. System / Certificate Manager / CAs
                                          2. /usr/local/share/certs/ca-root-nss.crt

                                          This is not to say there couldn't be some other location.  These are just the two I'm aware of.
                                          I am also not sure in which of the locations it is required to be for notifications.  Mine is in both.  But I'm thinking it probably has to be in ca-root-nss.crt.

                                          1 Reply Last reply Reply Quote 0
                                          • dennypageD
                                            dennypage
                                            last edited by

                                            Did you have to hand edit ca-root-nss.crt to add the CA?

                                            @NOYB:

                                            The two places I know of for the CA to be located in pfSense are:

                                            1. System / Certificate Manager / CAs
                                            2. /usr/local/share/certs/ca-root-nss.crt

                                            This is not to say there couldn't be some other location.  These are just the two I'm aware of.
                                            I am also not sure in which of the locations it is required to be for notifications.  Mine is in both.  But I'm thinking it probably has to be in ca-root-nss.crt.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.