Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    STARTTLS Require TLS?

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 2 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      NOYB
      last edited by

      Does pfSense email notifications require TLS when the Enable STARTTLS option is selected?  Or will it fall back to plain text?

      e.g.
      "STRIPTLS attacks can be blocked by configuring SMTP clients to require TLS for outgoing connections (for example, the Exim Message transfer agent can require TLS via the directive "hosts_require_tls" [12])."
      https://en.wikipedia.org/wiki/Opportunistic_TLS#Weaknesses_and_mitigations

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        From looking at the code in /etc/inc/smtp.inc on 2.3.2, it appears to fail in various ways if it is configured for start_tls but it cannot be negotiated (e.g. server doesn't support it, client doesn't support it, etc). Looks reasonably safe.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • N
          NOYB
          last edited by

          Thanks Jim,

          That corresponds with what I see in actual tests too.

          /etc/postfix-msa/master.cf: smtpd_tls_security_level=none

          pfSense E-Mail Notifications:
          Port: 587, Enable STARTTLS: No,  SMTP testing e-mail successfully sent
          Port: 587, Enable STARTTLS: Yes, Could not send the message to xxxxx@xxxxx.com – Error: server does not support starting TLS

          /etc/postfix-msa/master.cf: smtpd_tls_security_level=may

          pfSense E-Mail Notifications:
          Port: 587, Enable STARTTLS: No,  SMTP testing e-mail successfully sent
          Port: 587, Enable STARTTLS: Yes, SMTP testing e-mail successfully sent

          /etc/postfix-msa/master.cf: smtpd_tls_security_level=encrypt

          pfSense E-Mail Notifications:
          Port: 587, Enable STARTTLS: No,  Could not send the message to xxxxx@xxxxx.com -- Error: server does not require authentication, it probably requires starting TLS
          Port: 587, Enable STARTTLS: Yes, SMTP testing e-mail successfully sent

          This would seem to indicate that pfSense version 2.3.2 requires TLS, rather than falling back to plain text mode, when the E-Mail Notification option to "Enable STARTTLS" is selected.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.