PfSense 2.3.2 and email notifications

  • Upgraded to pfSense 2.3.2 and email notifications have stopped working.
    Error in the log is

    /system_advanced_notifications.php: Could not send the message to – Error: could not connect to the host "": ??

    I have not changed the settings on the firewall or the mail server.

    The settings used on the firewall look correct and I have checked the account used to send notifications is still enabled and the password still works.

    I have found this bug, which could be related

    The only thing I can think of that could be causing an issue is that our mail server requires an encrypted password rather than plain, I have tried the Login rather the Plain option on the notifications set up page but it made no difference.

    Any suggestion on how to resolve this issue?

    Disabling encrypted password for the user account is not an option with the mail server as it's a global option.

  • LAYER 8 Global Moderator

    "Error: could not connect to the host "": ??"

    Doesn't seem like an auth issue, more like just can not even connect.  Is this server outside or inside your network? Have you validated you can talk to this server from your pfsense box?  Are you using fqdn in the notifications or IP?  can you post up your notification settings.

    For example see mine using gmail.  And working just fine.

  • Mail server is inside the network, firewall can ping mail server from the ping page in pfSense.

    PING ( from 56 data bytes
    64 bytes from icmp_seq=0 ttl=128 time=0.283 ms
    64 bytes from icmp_seq=1 ttl=128 time=0.257 ms
    64 bytes from icmp_seq=2 ttl=128 time=0.333 ms

    –- ping statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 0.257/0.291/0.333/0.032 ms

    Have tried both IP and FDNQ, no difference.

    All three email in the screen shot are the same and it's definitely working, have checked spam, etc.

  • LAYER 8 Global Moderator

    If your email server is inside the network, I assume your 172 is rfc1918 ie 172.16-31 why are you obfuscating it?

    So you can ping it thats good.. Can you hit on 465?  Why don't you test it with your openssl client and see what happens??


    [2.3.2-RELEASE][root@pfSense.local.lan]/root: openssl s_client -connect
    depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
    verify return:1
    depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
    verify return:1
    depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
    verify return:1
    depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN =
    verify return:1
    Certificate chain
     0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/
       i:/C=US/O=Google Inc/CN=Google Internet Authority G2
     1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
       i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
     2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
       i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    Server certificate
    -----END CERTIFICATE-----
    subject=/C=US/ST=California/L=Mountain View/O=Google Inc/
    issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
    No client certificate CA names sent
    SSL handshake has read 3727 bytes and written 417 bytes
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES128-GCM-SHA256
        Session-ID: 14E429EF37274630608B620D24AC9554F896DBFE95204B031E715927A8CFE678
        Master-Key: 45E73165670AB874A35A87CCE798636515BCE7B5748D19BE6C6CCC87E8F3EB97DAB9378BE4605D8C1685EBD2243775E2
        Key-Arg   : None
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 100800 (seconds)
        TLS session ticket:
        0000 - 4c ec 6c cb 65 2b d7 e7-e5 5a 37 eb d7 99 df 25   L.l.e+...Z7....%
        0010 - ea 9a ca d0 dc be 1b 85-ad e2 a0 57 cd 37 49 33   ...........W.7I3
        0020 - 08 db 69 ac b2 d6 7a ce-9c 5c 6b 95 94 9f 91 36   ..i...z..\k....6
        0030 - 17 df 7c 75 32 b0 c2 b2-d2 73 4b c6 d7 92 5f dd   ..|u2....sK..._.
        0040 - db 24 44 4a ca d7 74 ae-b0 ed 37 80 7c ec 5a 9f   .$DJ..t...7.|.Z.
        0050 - 2b c8 cc 6a 0c 5d 04 41-7e 31 e2 48 43 8a 1a 3e   +..j.].A~1.HC..>
        0060 - c2 ab b1 11 ea 70 47 3b-b7 55 c1 e4 31 22 ba 55   .....pG;.U..1".U
        0070 - 80 1f 2a 68 3e b8 39 b2-3b 3d 81 56 f7 f1 37 dd   ..*h>.9.;=.V..7.
        0080 - 37 3a 0d 0b 45 62 87 35-38 9a 4d df fc bf 94 3e   7:..Eb.58.M....>
        0090 - 1b 4f bd 92 98 0e 8a 1d-a8 03 64 6c e7 dc 72 01   .O........dl..r.
        00a0 - ca ad 37 e2                                       ..7.
        Start Time: 1473260826
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    220 ESMTP u76sm3184172ita.15 - gsmtp
    250 at your service

    Then you can send your commands and see what you get back from your email server or that very min that it connects without any issues with the certs, etc.

    If I had to make a wild guess if your using IP and not a fqdn, unless you setup SAN for that IP on your certs they are prob failing, etc.  Are you using a self signed cert or public signed trusted CA?

  • If the mail server is using a certificated signed by a private CA, then you will not be able to establish a TLS/SSL connection.

  • @dennypage:

    If the mail server is using a certificated signed by a private CA, then you will not be able to establish a TLS/SSL connection.

    Or if the mail server is using a certificate signed by a CA that has been removed from /usr/local/share/certs/ca-root-nss.crt.

    Such as this one:

    The Full Thread:
    SSL/TLS Option Breaks My SMTP Notifications

  • @johnpoz:

    If your email server is inside the network, I assume your 172 is rfc1918 ie 172.16-31 why are you obfuscating it?

    Force of habit I'm.

    Issue is solved read the thread posted by dennypage.
    Disabled SSL and notifications are now working again.

    Thanks for all the help