[SOLVED] Can't get any notifications via mail from pfsense.



  • Hello guys,

    first I want to thank all these people who make PFsense possible! Great work!  ;D
    I am using it like about one year and it works great!

    Unfortunately there is an little issue that I can`t just oversee. I don't get any notifications via mail.
    My last notification was in 28th July during the firmware update to 2.3.2 I think: "Firmware upgrade in progress…". After that I got no more notifications.

    When I try to send a test notification these lines appeared in my mail.log

    Nov 29 23:19:46 Mail postfix/smtpd[26590]: connect from unknown[192.168.2.1]
    Nov 29 23:19:46 Mail postfix/smtpd[26590]: SSL_accept error from unknown[192.168.2.1]: 0
    Nov 29 23:19:46 Mail postfix/smtpd[26590]: warning: TLS library problem: 26590:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1300:SSL alert number 48:
    Nov 29 23:19:46 Mail postfix/smtpd[26590]: lost connection after STARTTLS from unknown[192.168.2.1]
    Nov 29 23:19:46 Mail postfix/smtpd[26590]: disconnect from unknown[192.168.2.1]
    

    After a little search I found out that this was probably a problem with my certificate.
    http://serverfault.com/questions/660241/postfix-tls-error
    Also there was a bug (#BUG5604) https://redmine.pfsense.org/issues/5604 with the exact headline like mine and though that the bug is not fixed yet. But I think I was mistaken.

    My mail setup is like: I have a mail server, and all my little server and thingies are sending their status via mail to it. All mails from these servers were delivered accept the one from my pfsense box. The smtp connection starts with STARTTLS on port 25 and I have my own self signed certificate.

    I hope you might have a little hint for me.

    Cheers
    Kalle


  • Rebel Alliance Developer Netgate

    @Kalle13:

    I have my own self signed certificate.

    It (correctly) fails to validate the certificate because it's self-signed, it does not come from a CA recognized by the SMTP client.

    If you use a valid certificate and a proper matching hostname/cn it will work.



  • Hello jimp,

    thank you for your response.

    If you use a valid certificate and a proper matching hostname/cn it will work.

    I can't believe what I am reading. Why can't I use a self signed certificate? Therefore for a user like me who uses pfsense in his home enviroment it is impossible to get notifications via ssl?
    But before the pfSense Upgrade (like I said in my previous post) it worked just fine.

    Regards
    Kalle



  • Why can't I use a self signed certificate?

    He told you that already.  There is no chain of trust with a self-signed cert.  It's like making a photo ID of yourself at home and then thinking it will get you past airport security.

    Therefore for a user like me…

    Genuine SSL certs can be had for cheap.  StartCom offers free certs, as does the Let's Encrypt project.

    But before the pfSense Upgrade (like I said in my previous post) it worked just fine.

    Is it possible that you had previously imported the pfSense CA cert as a trusted authority?



  • Hello KOM,

    thank you for your reply.

    He told you that already.  There is no chain of trust with a self-signed cert.  It's like making a photo ID of yourself at home and then thinking it will get you past airport security.

    Ok, no now I understand what you guys want to tell me.

    Genuine SSL certs can be had for cheap.  StartCom offers free certs, as does the Let's Encrypt project.

    Thank you for the hint.

    But before the pfSense Upgrade (like I said in my previous post) it worked just fine.

    Is it possible that you had previously imported the pfSense CA cert as a trusted authority?

    No, I havent. Probably its worth a investigation why it worked before the upgrade.

    Cheers,
    Kalle



  • @Kalle13:

    My mail setup is like: I have a mail server, and all my little server and thingies are sending their status via mail to it. All mails from these servers were delivered accept the one from my pfsense box. The smtp connection starts with STARTTLS on port 25 and I have my own self signed certificate.

    Both links mentioned a problems, and both are solved ….

    Btw : probably not relatad :
    Using "auth" on port "25" went out of business a while ago. People started to understand that:
    "25" is for server to server connections only (and they can use SSL if they agree both on it) - 'mail clients' shouldn't use this port. It was wasn't written to communicate withe these guys.
    "587" exists for you - your devices - to inject mail in you server to be transmitted. This can be a clear connection, or, if STARTTLS is activated with postfix, and the client - your device - accepts it, use TLS.
    "465" is used when the communication should be SSL from the ground up from your device to your server.

    I use "465" only (but support 587 STARTTLS also id needed) and use 'known' startssl certificates on my postfix server.

    Dec  9 00:13:44 ns311465 my-work.tld-smtps/smtpd[13399]: connect from ABordeaux-653-1-477-226.w90-11.abo.wanadoo.fr[90.11.61.226]
    Dec  9 00:13:44 ns311465 my-work.tld-smtps/smtpd[13399]: Anonymous TLS connection established from abordeaux-653-1-477-226.w90-11.abo.wanadoo.fr[90.11.61.226]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
    Dec  9 00:13:45 ns311465 my-work.tld-smtps/smtpd[13399]: 25F7A63E1BD3: client=ABordeaux-653-1-477-226.w90-11.abo.wanadoo.fr[90.11.61.226], sasl_method=PLAIN, sasl_username=me@my-mail.tld
    Dec  9 00:13:45 ns311465 postfix/cleanup[13404]: 25F7A63E1BD3: message-id=<>
    Dec  9 00:13:45 ns311465 postfix/qmgr[28832]: 25F7A63E1BD3: from=<pfsense@brit-hotel-fumel.net>, size=604, nrcpt=1 (queue active)
    Dec  9 00:13:45 ns311465 my-work.tld-smtps/smtpd[13399]: disconnect from ABordeaux-653-1-477-226.w90-11.abo.wanadoo.fr[90.11.61.226]
    Dec  9 00:13:47 ns311465 amavis/smtpd[13409]: 2881F63E1C94: client=localhost.localdomain[127.0.0.1]
    Dec  9 00:13:47 ns311465 postfix/cleanup[13404]: 2881F63E1C94: message-id=<20161208231347.2881F63E1C94@ns311465.ip-188-165-201.eu>
    Dec  9 00:13:47 ns311465 postfix/qmgr[28832]: 2881F63E1C94: from=<pfsense@my-work.tld>, size=1406, nrcpt=1 (queue active)
    Dec  9 00:13:47 ns311465 postfix/smtp[13405]: 25F7A63E1BD3: to=<me@my-mail.tld>, relay=127.0.0.1[127.0.0.1]:10026, delay=2.2, delays=0.23/0.03/0/1.9, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 2881F63E1C94)
    Dec  9 00:13:47 ns311465 postfix/qmgr[28832]: 25F7A63E1BD3: removed
    Dec  9 00:13:47 ns311465 postfix/virtual[13410]: 2881F63E1C94: to=<me@my-mail.tld>, relay=virtual, delay=0.14, delays=0.05/0.01/0/0.09, dsn=2.0.0, status=sent (delivered to maildir)</me@my-mail.tld></me@my-mail.tld></pfsense@my-work.tld></pfsense@brit-hotel-fumel.net> 
    

    Still, the connection is flagged as : "Anonymous TLS connection", that's ok :

    An "anonymous TLS connection" is any TLS connection that doesn't use a client certificate. Since most TLS connections only use a server certificate, there's nothing strange about this. It's not like the client is anonymous anyway; you have their host names and IP addresses.



  • Thank you guys for your help!
    Now I get my notifications.
    But I've chosen the dark side of the settings-side.
    The easiest and the simplest way: Port 25 without SSL on the pfSense settings. ::)

    Cheers
    Kalle



  • @Kalle13:

    But I've chosen the dark side of the settings-side.
    The easiest and the simplest way: Port 25 without SSL on the pfSense settings. ::)

    It's all a question HOW your postfix server is setup - and where it resides. My ISP - as many others others - simply block all outgoing connections to 'port 25' (smtp) except their own mail server. So I could only use a mail hosted by my ISP as a destination. That's a negative for me. I'm using my mail mail server on the net … and thus I had to set up an access to '587' (and 465 was just for the the fun).
    But ok, managing a mail server using many domains, on many IP's (v4 and V6) can be daunting .... and it's never 'finished' and implies a lot of tasks.



  • That's right.
    I have the luck that my server is in my network next to my pfSense router. That's why I can do it the easy way.

    My ISP - as many others others - simply block all outgoing connections to 'port 25' (smtp) except their own mail server.

    Before a couple of months my ISP was also blocking port 25. My solution was to call them and to ask if they would unblock the port and they did.  ;D

    cheers
    Kalle