PfSense 2.3.2 and email notifications



  • Upgraded to pfSense 2.3.2 and email notifications have stopped working.
    Error in the log is

    /system_advanced_notifications.php: Could not send the message to blah@blah.com – Error: could not connect to the host "172.xxx.xxx.6": ??

    I have not changed the settings on the firewall or the mail server.

    The settings used on the firewall look correct and I have checked the account used to send notifications is still enabled and the password still works.

    I have found this bug https://redmine.pfsense.org/issues/5604, which could be related

    The only thing I can think of that could be causing an issue is that our mail server requires an encrypted password rather than plain, I have tried the Login rather the Plain option on the notifications set up page but it made no difference.

    Any suggestion on how to resolve this issue?

    Disabling encrypted password for the user account is not an option with the mail server as it's a global option.


  • Rebel Alliance Global Moderator

    "Error: could not connect to the host "172.xxx.xxx.6": ??"

    Doesn't seem like an auth issue, more like just can not even connect.  Is this server outside or inside your network? Have you validated you can talk to this server from your pfsense box?  Are you using fqdn in the notifications or IP?  can you post up your notification settings.

    For example see mine using gmail.  And working just fine.




  • Mail server is inside the network, firewall can ping mail server from the ping page in pfSense.

    PING 172.xxx.xxx.6 (172.xxx.xxx.6) from 172.xxx.xxx.250: 56 data bytes
    64 bytes from 172.xxx.xxx.6: icmp_seq=0 ttl=128 time=0.283 ms
    64 bytes from 172.xxx.xxx.6: icmp_seq=1 ttl=128 time=0.257 ms
    64 bytes from 172.xxx.xxx.6: icmp_seq=2 ttl=128 time=0.333 ms

    –- 172.xxx.xxx.6 ping statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 0.257/0.291/0.333/0.032 ms

    Have tried both IP and FDNQ, no difference.

    All three email in the screen shot are the same and it's definitely working, have checked spam, etc.



  • Rebel Alliance Global Moderator

    If your email server is inside the network, I assume your 172 is rfc1918 ie 172.16-31 why are you obfuscating it?

    So you can ping it thats good.. Can you hit on 465?  Why don't you test it with your openssl client and see what happens??

    example..

    
    [2.3.2-RELEASE][root@pfSense.local.lan]/root: openssl s_client -connect smtp.gmail.com:465
    CONNECTED(00000004)
    depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
    verify return:1
    depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
    verify return:1
    depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
    verify return:1
    depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = smtp.gmail.com
    verify return:1
    ---
    Certificate chain
     0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
       i:/C=US/O=Google Inc/CN=Google Internet Authority G2
     1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
       i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
     2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
       i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIEgDCCA2igAwIBAgIITC5SWm6/x1AwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
    BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
    cm5ldCBBdXRob3JpdHkgRzIwHhcNMTYwOTAxMTM0NTAwWhcNMTYxMTI0MTM0NTAw
    WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
    TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOc210
    cC5nbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGamdn
    T/x6Hj0GXicAIwtKhHVson1920lcW3ByPIE1ubxXBWQOONfkHVT+RKnaq4NKC2aT
    d+e0fBPGaXPmgt09llF1113VSy/jhoaFE4hHoiPeeudDPt8YGSL+Ce+pp9zXR6L7
    QwRRMBpYxOxL10hi1nHCDnqYBROpIPUilcCelnTO7tBLySQJ8qtzokiveZg1hMPY
    CVZYTBFTVObQ/GCWVhmWR5V63WUIXDco8SrXtCFwd6wlqhJTN/NiWT1EhJRoF73x
    YxQN6LxlqlYrNRKf47PhEk6W3isiXpFAN5NbhefAj4fYXkgP0gePky5cZlYmeO54
    1Ipnb7S/Rk8n8raRAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
    KwYBBQUHAwIwGQYDVR0RBBIwEIIOc210cC5nbWFpbC5jb20waAYIKwYBBQUHAQEE
    XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
    MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
    A1UdDgQWBBTKpyClaxLZoImedINn7UZgS8OxUTAMBgNVHRMBAf8EAjAAMB8GA1Ud
    IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
    eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
    bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEADxLJypSiV0DxqoLO
    Hf5fex8Am3Ehtkq/PpLcRXgiqYYA+FmxTZh40Ns6XZJepIgDzKNSnR1zFvozpRRv
    YY7Xid+IGleNy4yBaa9sz7NCiNdtqTxukgK31SX0yfh8sHqc6uHARv0PLzHsU14M
    ja+8tK+3Myb1aJv72eKVQ491f+CPX03VsxK/+1k51OAHq/LAHv1ql9KJDVQC1osw
    T3Ia2rYD+dg5v+BOR7zgWS5Z5aCCm2zaYQpmDmq/+DPkSRRC8ZlbZALKyk3kpB6C
    98IwEOCgiCTaP/uIUnnR2miv+w07yublBp45jV5fcCZdkmFuMlqiAnQGZ59U6mwV
    NQsZNA==
    -----END CERTIFICATE-----
    subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
    issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 3727 bytes and written 417 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES128-GCM-SHA256
        Session-ID: 14E429EF37274630608B620D24AC9554F896DBFE95204B031E715927A8CFE678
        Session-ID-ctx:
        Master-Key: 45E73165670AB874A35A87CCE798636515BCE7B5748D19BE6C6CCC87E8F3EB97DAB9378BE4605D8C1685EBD2243775E2
        Key-Arg   : None
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 100800 (seconds)
        TLS session ticket:
        0000 - 4c ec 6c cb 65 2b d7 e7-e5 5a 37 eb d7 99 df 25   L.l.e+...Z7....%
        0010 - ea 9a ca d0 dc be 1b 85-ad e2 a0 57 cd 37 49 33   ...........W.7I3
        0020 - 08 db 69 ac b2 d6 7a ce-9c 5c 6b 95 94 9f 91 36   ..i...z..\k....6
        0030 - 17 df 7c 75 32 b0 c2 b2-d2 73 4b c6 d7 92 5f dd   ..|u2....sK..._.
        0040 - db 24 44 4a ca d7 74 ae-b0 ed 37 80 7c ec 5a 9f   .$DJ..t...7.|.Z.
        0050 - 2b c8 cc 6a 0c 5d 04 41-7e 31 e2 48 43 8a 1a 3e   +..j.].A~1.HC..>
        0060 - c2 ab b1 11 ea 70 47 3b-b7 55 c1 e4 31 22 ba 55   .....pG;.U..1".U
        0070 - 80 1f 2a 68 3e b8 39 b2-3b 3d 81 56 f7 f1 37 dd   ..*h>.9.;=.V..7.
        0080 - 37 3a 0d 0b 45 62 87 35-38 9a 4d df fc bf 94 3e   7:..Eb.58.M....>
        0090 - 1b 4f bd 92 98 0e 8a 1d-a8 03 64 6c e7 dc 72 01   .O........dl..r.
        00a0 - ca ad 37 e2                                       ..7.
    
        Start Time: 1473260826
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    ---
    220 smtp.gmail.com ESMTP u76sm3184172ita.15 - gsmtp
    helo test.test.com
    250 smtp.gmail.com at your service
    
    

    Then you can send your commands and see what you get back from your email server or that very min that it connects without any issues with the certs, etc.

    If I had to make a wild guess if your using IP and not a fqdn, unless you setup SAN for that IP on your certs they are prob failing, etc.  Are you using a self signed cert or public signed trusted CA?



  • If the mail server is using a certificated signed by a private CA, then you will not be able to establish a TLS/SSL connection.

    https://redmine.pfsense.org/issues/6687



  • @dennypage:

    If the mail server is using a certificated signed by a private CA, then you will not be able to establish a TLS/SSL connection.

    https://redmine.pfsense.org/issues/6687

    Or if the mail server is using a certificate signed by a CA that has been removed from /usr/local/share/certs/ca-root-nss.crt.

    Such as this one: https://forum.pfsense.org/index.php?topic=115884.msg644711#msg644711

    The Full Thread:
    SSL/TLS Option Breaks My SMTP Notifications
    https://forum.pfsense.org/index.php?topic=115884.0



  • @johnpoz:

    If your email server is inside the network, I assume your 172 is rfc1918 ie 172.16-31 why are you obfuscating it?

    Force of habit I'm.

    Issue is solved read the thread posted by dennypage.
    Disabled SSL and notifications are now working again.

    Thanks for all the help


Locked