Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] Can't get any notifications via mail from pfsense.

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 4 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Kalle13K
      Kalle13
      last edited by

      Hello guys,

      first I want to thank all these people who make PFsense possible! Great work!  ;D
      I am using it like about one year and it works great!

      Unfortunately there is an little issue that I can`t just oversee. I don't get any notifications via mail.
      My last notification was in 28th July during the firmware update to 2.3.2 I think: "Firmware upgrade in progress…". After that I got no more notifications.

      When I try to send a test notification these lines appeared in my mail.log

      Nov 29 23:19:46 Mail postfix/smtpd[26590]: connect from unknown[192.168.2.1]
      Nov 29 23:19:46 Mail postfix/smtpd[26590]: SSL_accept error from unknown[192.168.2.1]: 0
      Nov 29 23:19:46 Mail postfix/smtpd[26590]: warning: TLS library problem: 26590:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1300:SSL alert number 48:
      Nov 29 23:19:46 Mail postfix/smtpd[26590]: lost connection after STARTTLS from unknown[192.168.2.1]
      Nov 29 23:19:46 Mail postfix/smtpd[26590]: disconnect from unknown[192.168.2.1]
      

      After a little search I found out that this was probably a problem with my certificate.
      http://serverfault.com/questions/660241/postfix-tls-error
      Also there was a bug (#BUG5604) https://redmine.pfsense.org/issues/5604 with the exact headline like mine and though that the bug is not fixed yet. But I think I was mistaken.

      My mail setup is like: I have a mail server, and all my little server and thingies are sending their status via mail to it. All mails from these servers were delivered accept the one from my pfsense box. The smtp connection starts with STARTTLS on port 25 and I have my own self signed certificate.

      I hope you might have a little hint for me.

      Cheers
      Kalle

      "Jeder kocht mit Wasser, man kann das Binsenweisheit nenn`. Der unterschied zu dir ist, dass wir zwei kochen könn`"

      • Kinderzimmer Productions
      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        @Kalle13:

        I have my own self signed certificate.

        It (correctly) fails to validate the certificate because it's self-signed, it does not come from a CA recognized by the SMTP client.

        If you use a valid certificate and a proper matching hostname/cn it will work.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • Kalle13K
          Kalle13
          last edited by

          Hello jimp,

          thank you for your response.

          If you use a valid certificate and a proper matching hostname/cn it will work.

          I can't believe what I am reading. Why can't I use a self signed certificate? Therefore for a user like me who uses pfsense in his home enviroment it is impossible to get notifications via ssl?
          But before the pfSense Upgrade (like I said in my previous post) it worked just fine.

          Regards
          Kalle

          "Jeder kocht mit Wasser, man kann das Binsenweisheit nenn`. Der unterschied zu dir ist, dass wir zwei kochen könn`"

          • Kinderzimmer Productions
          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            Why can't I use a self signed certificate?

            He told you that already.  There is no chain of trust with a self-signed cert.  It's like making a photo ID of yourself at home and then thinking it will get you past airport security.

            Therefore for a user like me…

            Genuine SSL certs can be had for cheap.  StartCom offers free certs, as does the Let's Encrypt project.

            But before the pfSense Upgrade (like I said in my previous post) it worked just fine.

            Is it possible that you had previously imported the pfSense CA cert as a trusted authority?

            1 Reply Last reply Reply Quote 0
            • Kalle13K
              Kalle13
              last edited by

              Hello KOM,

              thank you for your reply.

              He told you that already.  There is no chain of trust with a self-signed cert.  It's like making a photo ID of yourself at home and then thinking it will get you past airport security.

              Ok, no now I understand what you guys want to tell me.

              Genuine SSL certs can be had for cheap.  StartCom offers free certs, as does the Let's Encrypt project.

              Thank you for the hint.

              But before the pfSense Upgrade (like I said in my previous post) it worked just fine.

              Is it possible that you had previously imported the pfSense CA cert as a trusted authority?

              No, I havent. Probably its worth a investigation why it worked before the upgrade.

              Cheers,
              Kalle

              "Jeder kocht mit Wasser, man kann das Binsenweisheit nenn`. Der unterschied zu dir ist, dass wir zwei kochen könn`"

              • Kinderzimmer Productions
              1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan
                last edited by

                @Kalle13:

                My mail setup is like: I have a mail server, and all my little server and thingies are sending their status via mail to it. All mails from these servers were delivered accept the one from my pfsense box. The smtp connection starts with STARTTLS on port 25 and I have my own self signed certificate.

                Both links mentioned a problems, and both are solved ….

                Btw : probably not relatad :
                Using "auth" on port "25" went out of business a while ago. People started to understand that:
                "25" is for server to server connections only (and they can use SSL if they agree both on it) - 'mail clients' shouldn't use this port. It was wasn't written to communicate withe these guys.
                "587" exists for you - your devices - to inject mail in you server to be transmitted. This can be a clear connection, or, if STARTTLS is activated with postfix, and the client - your device - accepts it, use TLS.
                "465" is used when the communication should be SSL from the ground up from your device to your server.

                I use "465" only (but support 587 STARTTLS also id needed) and use 'known' startssl certificates on my postfix server.

                Dec  9 00:13:44 ns311465 my-work.tld-smtps/smtpd[13399]: connect from ABordeaux-653-1-477-226.w90-11.abo.wanadoo.fr[90.11.61.226]
                Dec  9 00:13:44 ns311465 my-work.tld-smtps/smtpd[13399]: Anonymous TLS connection established from abordeaux-653-1-477-226.w90-11.abo.wanadoo.fr[90.11.61.226]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
                Dec  9 00:13:45 ns311465 my-work.tld-smtps/smtpd[13399]: 25F7A63E1BD3: client=ABordeaux-653-1-477-226.w90-11.abo.wanadoo.fr[90.11.61.226], sasl_method=PLAIN, sasl_username=me@my-mail.tld
                Dec  9 00:13:45 ns311465 postfix/cleanup[13404]: 25F7A63E1BD3: message-id=<>
                Dec  9 00:13:45 ns311465 postfix/qmgr[28832]: 25F7A63E1BD3: from=<pfsense@brit-hotel-fumel.net>, size=604, nrcpt=1 (queue active)
                Dec  9 00:13:45 ns311465 my-work.tld-smtps/smtpd[13399]: disconnect from ABordeaux-653-1-477-226.w90-11.abo.wanadoo.fr[90.11.61.226]
                Dec  9 00:13:47 ns311465 amavis/smtpd[13409]: 2881F63E1C94: client=localhost.localdomain[127.0.0.1]
                Dec  9 00:13:47 ns311465 postfix/cleanup[13404]: 2881F63E1C94: message-id=<20161208231347.2881F63E1C94@ns311465.ip-188-165-201.eu>
                Dec  9 00:13:47 ns311465 postfix/qmgr[28832]: 2881F63E1C94: from=<pfsense@my-work.tld>, size=1406, nrcpt=1 (queue active)
                Dec  9 00:13:47 ns311465 postfix/smtp[13405]: 25F7A63E1BD3: to=<me@my-mail.tld>, relay=127.0.0.1[127.0.0.1]:10026, delay=2.2, delays=0.23/0.03/0/1.9, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 2881F63E1C94)
                Dec  9 00:13:47 ns311465 postfix/qmgr[28832]: 25F7A63E1BD3: removed
                Dec  9 00:13:47 ns311465 postfix/virtual[13410]: 2881F63E1C94: to=<me@my-mail.tld>, relay=virtual, delay=0.14, delays=0.05/0.01/0/0.09, dsn=2.0.0, status=sent (delivered to maildir)</me@my-mail.tld></me@my-mail.tld></pfsense@my-work.tld></pfsense@brit-hotel-fumel.net> 
                

                Still, the connection is flagged as : "Anonymous TLS connection", that's ok :

                An "anonymous TLS connection" is any TLS connection that doesn't use a client certificate. Since most TLS connections only use a server certificate, there's nothing strange about this. It's not like the client is anonymous anyway; you have their host names and IP addresses.

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • Kalle13K
                  Kalle13
                  last edited by

                  Thank you guys for your help!
                  Now I get my notifications.
                  But I've chosen the dark side of the settings-side.
                  The easiest and the simplest way: Port 25 without SSL on the pfSense settings. ::)

                  Cheers
                  Kalle

                  "Jeder kocht mit Wasser, man kann das Binsenweisheit nenn`. Der unterschied zu dir ist, dass wir zwei kochen könn`"

                  • Kinderzimmer Productions
                  1 Reply Last reply Reply Quote 0
                  • GertjanG
                    Gertjan
                    last edited by

                    @Kalle13:

                    But I've chosen the dark side of the settings-side.
                    The easiest and the simplest way: Port 25 without SSL on the pfSense settings. ::)

                    It's all a question HOW your postfix server is setup - and where it resides. My ISP - as many others others - simply block all outgoing connections to 'port 25' (smtp) except their own mail server. So I could only use a mail hosted by my ISP as a destination. That's a negative for me. I'm using my mail mail server on the net … and thus I had to set up an access to '587' (and 465 was just for the the fun).
                    But ok, managing a mail server using many domains, on many IP's (v4 and V6) can be daunting .... and it's never 'finished' and implies a lot of tasks.

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    1 Reply Last reply Reply Quote 0
                    • Kalle13K
                      Kalle13
                      last edited by

                      That's right.
                      I have the luck that my server is in my network next to my pfSense router. That's why I can do it the easy way.

                      My ISP - as many others others - simply block all outgoing connections to 'port 25' (smtp) except their own mail server.

                      Before a couple of months my ISP was also blocking port 25. My solution was to call them and to ask if they would unblock the port and they did.  ;D

                      cheers
                      Kalle

                      "Jeder kocht mit Wasser, man kann das Binsenweisheit nenn`. Der unterschied zu dir ist, dass wir zwei kochen könn`"

                      • Kinderzimmer Productions
                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.