SSL/TLS Option Breaks My SMTP Notifications
-
Mine works also.
Postfix (of course ;)) - port 465 - Secure SMTP Connection CHECKed : Enable SMTP over SSL/TLSBtw : when 'mail' doesn't work, use the logs to see what's up :
Jul 28 08:42:02 ns311465 brit-hotel-fumel.fr-smtps/smtpd[18310]: connect from Nowwhat-1-pt.tunnel.tserv10.par1.ipv6.he.net[2001:470:1f12:5c0::2]
Jul 28 08:42:02 ns311465 brit-hotel-fumel.fr-smtps/smtpd[18310]: Anonymous TLS connection established from nowwhat-1-pt.tunnel.tserv10.par1.ipv6.he.net[2001:470:1f12:5c0::2]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Jul 28 08:42:02 ns311465 brit-hotel-fumel.fr-smtps/smtpd[18310]: EC1B663E0A57: client=Nowwhat-1-pt.tunnel.tserv10.par1.ipv6.he.net[2001:470:1f12:5c0::2], sasl_method=PLAIN, sasl_username=me@my-domaine.tld
Jul 28 08:42:03 ns311465 postfix/cleanup[18359]: EC1B663E0A57: message-id=<>
Jul 28 08:42:03 ns311465 postfix/qmgr[5144]: EC1B663E0A57: from=pfsense@work.tld, size=628, nrcpt=1 (queue active)
Jul 28 08:42:03 ns311465 brit-hotel-fumel.fr-smtps/smtpd[18310]: disconnect from Nowwhat-1-pt.tunnel.tserv10.par1.ipv6.he.net[2001:470:1f12:5c0::2]
Jul 28 08:42:04 ns311465 amavis/smtpd[18364]: 98BA163E1210: client=localhost.localdomain[127.0.0.1]
Jul 28 08:42:04 ns311465 postfix/cleanup[18359]: 98BA163E1210: message-id=20160728064204.98BA163E1210@ns311465.ip-188-165-201.eu
Jul 28 08:42:04 ns311465 postfix/qmgr[5144]: 98BA163E1210: from=pfsense@work.tld, size=1432, nrcpt=1 (queue active)
Jul 28 08:42:04 ns311465 postfix/smtp[18360]: EC1B663E0A57: to=me@my-domaine.tld, relay=127.0.0.1[127.0.0.1]:10026, delay=1.8, delays=0.33/0.01/0/1.5, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 98BA163E1210)
Jul 28 08:42:04 ns311465 postfix/qmgr[5144]: EC1B663E0A57: removed
Jul 28 08:42:04 ns311465 postfix/virtual[18365]: 98BA163E1210: to=me@my-domaine.tld, relay=virtual, delay=0.13, delays=0.04/0.01/0/0.08, dsn=2.0.0, status=sent (delivered to maildir)
Jul 28 08:42:04 ns311465 postfix/qmgr[5144]: 98BA163E1210: removed/me@my-domaine.tld/me@my-domaine.tld/pfsense@work.tld/pfsense@work.tld -
So I did go back and enable 465, these are the first errors that show in the logs
Jul 27 20:43:52 smtpd: > 502 5.5.2 Error: command not recognized
Jul 27 20:43:52 smtpd: < :
Jul 27 20:43:52 smtpd: > 500 5.5.2 Error: bad syntax
Jul 27 20:43:52 smtpd: < :
Jul 27 20:43:52 smtpd: > 500 5.5.2 Error: bad syntax
Jul 27 20:43:52 smtpd: < :
Jul 27 20:43:52 smtpd: > 500 5.5.2 Error: bad syntaxThen all I get is these 2 entries then nothing relating to sending that mail
Jul 28 21:33:29 www postfix/smtpd[19510]: lost connection after CONNECT from unknown[192.168.1.1]
Jul 28 21:33:29 www postfix/smtpd[19510]: disconnect from unknown[192.168.1.1]Then if enabling STARTTLS I get something close to the above but slightly different
Jul 28 21:35:12 www postfix/smtpd[31503]: lost connection after STARTTLS from unknown[192.168.1.1]
Jul 28 21:35:12 www postfix/smtpd[31503]: disconnect from unknown[192.168.1.1] -
If you could post a good secure as possible .cf I think its one of my settings, but I have not changed them recently
-
in the postfix master.cnf does it matter what order the lines are in like it matters with firewall rules?
-
This :
@ghostshell:Jul 28 21:33:29 www postfix/smtpd[19510]: lost connection after CONNECT from unknown[192.168.1.1]
Jul 28 21:33:29 www postfix/smtpd[19510]: disconnect from unknown[192.168.1.1]can't be possible.
Where is (who is) your mail server ?
Your connecting with your LAN IP ….. added to that : an IP without a "reverse DNS" : a postfix mail server will never accept that. That's like sending a letter by the post without a stamp.You saw my example ?
Jul 28 08:42:02 ns311465 brit-hotel-fumel.fr-smtps/smtpd[18310]: connect from Nowwhat-1-pt.tunnel.tserv10.par1.ipv6.he.net[2001:470:1f12:5c0::2[/code] My pfSense uses a public IP (WAN IP) (IPv6 in this case) to send a mail to my mail server, some where on the internet. I'm not saying you can't use a LAN IP, but in that case your mail server would (should) be on your LAN (the 192.168.1.1). Or you have a very strange network setup .... and we don't know nothing about your setup. So : it's normal that your notification mail doesn't work. -
This isn't a error unless specifically configure to be. By default, postfix does not require reverse DNS. There are postfix detectives that control how this works–see reject_unknown_client_hostname and reject_unknown_reverse_client_hostname.
It would appear that the poster's Postfix server is on his local network, so it makes sense that it would connect using the LAN IP. If he were using a public mail service it is unlikely he would be able to offer the log file entries.
Your connecting with your LAN IP ….. added to that : an IP without a "reverse DNS" : a postfix mail server will never accept that. That's like sending a letter by the post without a stamp.
-
pfsense LAN 1 = 192.168.0/24
mail server on LAN 1Where I am at for the moment is this if this helps at all.
No SSL/TLS or STARTTLS checked with the current settings notifications work.
I was using the same settings for a long time and noticed that the last alert I got was back on Feb 6th, nothing since then until unchecking SSL/TLS.
I turned on submission and that broke some things so I turned it back off.
I try port 465 by enabling it in master.cf and I get the errors I posted in my OP.
I read to enable tls_wrapper, but when testing I do not get the test email still
Mail clients on IOS, my computer, etc… are using TLS just fine.
Issue only happens when using SSL/TLS option in the pfsense notification settings.
-
Certificate trust issue?
-
I dont think so as I have a storage server that has a notification screen that looks just like the pfsense screen except no STARTTLS option and using the options that do not work for pfsense work for that server as in
mail server local IP
port 465
SSL/TLS
login
from same as login
to addressit is using a different login, but everything else is the same
-
By the way thank you all for helping me try to figure this out
soon I may give up and just not use SSL/TLS to secure the connection since its only internal and not an external connection
-
I dont think so as I have a storage server that has a notification screen that looks just like the pfsense screen except no STARTTLS option and using the options that do not work for pfsense work for that server as in
mail server local IP
port 465
SSL/TLS
login
from same as login
to addressit is using a different login, but everything else is the same
Just because some other system trusts the certificate doesn't mean pfSense does.
-
If your mail server is on your LAN, and you trust other devices on the same LAN, you should be fine using a non-TLS/SSL (465) and/or submission (587).
Just send to the "25" port.
Of course, all the rest will be a pure postfix-setup-issue. -
I deleted and re-added my email accounts on mt ipad and was able to use TLS on those devices successfully.
I am trying to check the cert to make sure that is not it, anyone know the quickest way to test the cert postfix is using?
My imap-ssl is not showing any issues with the cert it uses.
Also getting some new log info when testing settings last night, will post when I start testing again.
-
Using http://www.checktls.com/ it seems to show the cert is validated and OK and was able to use TLS 1.2 successfully for the connection.
Master.cf
smtp inet n - n - - smtpd -v
submission inet n - n - - smtpd -v
-o smtpd_tls_security_level=encrypt
# -o smtpd_tls_security_level=may
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd -v
-o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATINGUsing 25 or 465 with no SSL/TLS or STARTTLS option checked works
-
It doesn't matter what any thing else thinks of the cert. pfSense has to trust it.
-
It doesn't matter what any thing else thinks of the cert. pfSense has to trust it.
Ok, then how will I know as the cert and postfix settings have not changed since my last alert email, i see nothing in the logs showing cert issues with pfsense 192.168.1.1
pfsense logs show this error over and over
php-fpm /system_advanced_notifications.php: Could not send the message to gmail.com – Error: could not start TLS connection encryption protocol
-
The two places I know of for the CA to be located in pfSense are:
- System / Certificate Manager / CAs
- /usr/local/share/certs/ca-root-nss.crt
This is not to say there couldn't be some other location. These are just the two I'm aware of.
I am also not sure in which of the locations it is required to be for notifications. Mine is in both. But I'm thinking it probably has to be in ca-root-nss.crt. -
Did you have to hand edit ca-root-nss.crt to add the CA?
The two places I know of for the CA to be located in pfSense are:
- System / Certificate Manager / CAs
- /usr/local/share/certs/ca-root-nss.crt
This is not to say there couldn't be some other location. These are just the two I'm aware of.
I am also not sure in which of the locations it is required to be for notifications. Mine is in both. But I'm thinking it probably has to be in ca-root-nss.crt. -
Yes, I just added it below all the other CA's and incremented the number of certificates.
Mine is a self signed, so I have to added it. I wish PHP curl could use it from the one that is in config (System / Certificate Manager / CAs) so it would survive upgrades and I wouldn't have to remember to add it to the file.
Here are the results of notification test message with and without and with my CA added to the ca-root-nss.crt file.
Aug 2 23:47:48 php-fpm 42511 /system_advanced_notifications.php: Message sent to xxx@yyy.com OK Aug 2 23:47:06 php-fpm 11699 /system_advanced_notifications.php: Could not send the message to xxx@yyy.com -- Error: could not start TLS connection encryption protocol -
According to a kdiff comparison it appears this certificate was present in 2.3 but is absent in 2.3.2. If that is the CA for your cert then that would likely be why it quit working.
/usr/local/share/certs/ca-root-nss.crt
Certificate: Data: Version: 3 (0x2) Serial Number: 36 (0x24) Signature Algorithm: sha1WithRSAEncryption Issuer: C=FI, O=Sonera, CN=Sonera Class1 CA Validity Not Before: Apr 6 10:49:13 2001 GMT Not After : Apr 6 10:49:13 2021 GMT Subject: C=FI, O=Sonera, CN=Sonera Class1 CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b5:89:1f:2b:4f:67:0a:79:ff:c5:1e:f8:7f:3c: ed:d1:7e:da:b0:cd:6d:2f:36:ac:34:c6:db:d9:64: 17:08:63:30:33:22:8a:4c:ee:8e:bb:0f:0d:42:55: c9:9d:2e:a5:ef:f7:a7:8c:c3:ab:b9:97:cb:8e:ef: 3f:15:67:a8:82:72:63:53:0f:41:8c:7d:10:95:24: a1:5a:a5:06:fa:92:57:9d:fa:a5:01:f2:75:e9:1f: bc:56:26:52:4e:78:19:65:58:55:03:58:c0:14:ae: 8c:7c:55:5f:70:5b:77:23:06:36:97:f3:24:b5:9a: 46:95:e4:df:0d:0b:05:45:e5:d1:f2:1d:82:bb:c6: 13:e0:fe:aa:7a:fd:69:30:94:f3:d2:45:85:fc:f2: 32:5b:32:de:e8:6c:5d:1f:cb:a4:22:74:b0:80:8e: 5d:94:f7:06:00:4b:a9:d4:5e:2e:35:50:09:f3:80: 97:f4:0c:17:ae:39:d8:5f:cd:33:c1:1c:ca:89:c2: 22:f7:45:12:ed:5e:12:93:9d:63:ab:82:2e:b9:eb: 42:41:44:cb:4a:1a:00:82:0d:9e:f9:8b:57:3e:4c: c7:17:ed:2c:8b:72:33:5f:72:7a:38:56:d5:e6:d9: ae:05:1a:1d:75:45:b1:cb:a5:25:1c:12:57:36:fd: 22:37 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: 47:E2:0C:8B:F6:53:88:52 X509v3 Key Usage: Certificate Sign, CRL Sign Signature Algorithm: sha1WithRSAEncryption 8b:1a:b2:c9:5d:61:b4:e1:b9:2b:b9:53:d1:b2:85:9d:77:8e: 16:ee:11:3d:db:c2:63:d9:5b:97:65:fb:12:67:d8:2a:5c:b6: ab:e5:5e:c3:b7:16:2f:c8:e8:ab:1d:8a:fd:ab:1a:7c:d5:5f: 63:cf:dc:b0:dd:77:b9:a8:e6:d2:22:38:87:07:14:d9:ff:be: 56:b5:fd:07:0e:3c:55:ca:16:cc:a7:a6:77:37:fb:db:5c:1f: 4e:59:06:87:a3:03:43:f5:16:ab:b7:84:bd:4e:ef:9f:31:37: f0:46:f1:40:b6:d1:0c:a5:64:f8:63:5e:21:db:55:4e:4f:31: 76:9c:10:61:8e:b6:53:3a:a3:11:be:af:6d:7c:1e:bd:ae:2d: e2:0c:69:c7:85:53:68:a2:61:ba:c5:3e:b4:79:54:78:9e:0a: c7:02:be:62:d1:11:82:4b:65:2f:91:5a:c2:a8:87:b1:56:68: 94:79:f9:25:f7:c1:d5:ae:1a:b8:bb:3d:8f:a9:8a:38:15:f7: 73:d0:5a:60:d1:80:b0:f0:dc:d5:50:cd:4e:ee:92:48:69:ed: b2:23:1e:30:cc:c8:94:c8:b6:f5:3b:86:7f:3f:a6:2e:9f:f6: 3e:2c:b5:92:96:3e:df:2c:93:8a:ff:81:8c:0f:0f:59:21:19: 57:bd:55:9a SHA1 Fingerprint=07:47:22:01:99:CE:74:B9:7C:B0:3D:79:B2:64:A2:C8:55:E9:33:FF -----BEGIN CERTIFICATE----- MIIDIDCCAgigAwIBAgIBJDANBgkqhkiG9w0BAQUFADA5MQswCQYDVQQGEwJGSTEP MA0GA1UEChMGU29uZXJhMRkwFwYDVQQDExBTb25lcmEgQ2xhc3MxIENBMB4XDTAx MDQwNjEwNDkxM1oXDTIxMDQwNjEwNDkxM1owOTELMAkGA1UEBhMCRkkxDzANBgNV BAoTBlNvbmVyYTEZMBcGA1UEAxMQU29uZXJhIENsYXNzMSBDQTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBALWJHytPZwp5/8Ue+H887dF+2rDNbS82rDTG 29lkFwhjMDMiikzujrsPDUJVyZ0upe/3p4zDq7mXy47vPxVnqIJyY1MPQYx9EJUk oVqlBvqSV536pQHydekfvFYmUk54GWVYVQNYwBSujHxVX3BbdyMGNpfzJLWaRpXk 3w0LBUXl0fIdgrvGE+D+qnr9aTCU89JFhfzyMlsy3uhsXR/LpCJ0sICOXZT3BgBL qdReLjVQCfOAl/QMF6452F/NM8EcyonCIvdFEu1eEpOdY6uCLrnrQkFEy0oaAIIN nvmLVz5MxxftLItyM19yejhW1ebZrgUaHXVFsculJRwSVzb9IjcCAwEAAaMzMDEw DwYDVR0TAQH/BAUwAwEB/zARBgNVHQ4ECgQIR+IMi/ZTiFIwCwYDVR0PBAQDAgEG MA0GCSqGSIb3DQEBBQUAA4IBAQCLGrLJXWG04bkruVPRsoWdd44W7hE928Jj2VuX ZfsSZ9gqXLar5V7DtxYvyOirHYr9qxp81V9jz9yw3Xe5qObSIjiHBxTZ/75Wtf0H DjxVyhbMp6Z3N/vbXB9OWQaHowND9Rart4S9Tu+fMTfwRvFAttEMpWT4Y14h21VO TzF2nBBhjrZTOqMRvq9tfB69ri3iDGnHhVNoomG6xT60eVR4ngrHAr5i0RGCS2Uv kVrCqIexVmiUefkl98HVrhq4uz2PqYo4Ffdz0Fpg0YCw8NzVUM1O7pJIae2yIx4w zMiUyLb1O4Z/P6Yun/Y+LLWSlj7fLJOK/4GMDw9ZIRlXvVWa -----END CERTIFICATE-----