Notification email settings. Allow STARTTLS option.

TexasOutrage

Outlook.com requires starttls to be used when connecting to their smtp server. It uses port 587 and when using that port, gmail.com also requires that. If you use 465, it looks like gmail.com will accept standard ssl/tls connections. It works for gmail using port 465, but it's documented for outlook.com that starttls is required.

Gertjan

Like this ?

TexasOutrage

Yeah, it mentions exactly what I'm talking about. He couldn't get it to work with outlook.com on port 587. I'm not going to communicate with a mail server without using tls.

Gertjan

@TexasOutrage said in Notification email settings. Allow STARTTLS option.:

I'm not going to communicate with a mail server without using tls.

The big ones, like outlook, gmail, etc even won't let you NOT using some SSL

I just tried making it work - I have an ancient hotmail account. After some tries, I noticed that 'outlook' sended me a mail that there was "suspicious" activity.
I told them it ws "me".
Activated POP support (and thus smtp).

True, they want STARTTLS on 587 ..... pfSense dropped that probably.
Well, ok, that's their issue then, I went back to my own mail server (465 is smtps ) like gmail, works also great (free pop ups on your phone are for free with the gmail App ^^)

TexasOutrage

@Gertjan Yes, and that's all I was saying with my initial post. It needs a StartTLS option to communicate with a lot of current email servers. Gmail on port 465 doesn't use starttls, but 587 does. Starttls is supposedly more secure than the traditional method. That's why they require it on those ports. I mean freenas supports it and it's based on the same base os. So I can use outlook for freenas but I have to move to gmail for notifications for my firewall. Doesn't make a whole lot of sense, does it?

Gertjan

@TexasOutrage said in Notification email settings. Allow STARTTLS option.:

It needs a StartTLS option to communicate with a lot of current email servers.

I had some time to check what happens.

I do own my own mail server, and normally my mail clients are using '465' (smtp over SSL).
But 'submission' (port 587) also works.

220 mail.test-domaine.fr ESMTP Postfix
EHLO me.tld
250-mail.test-domaine.fr
250-PIPELINING
250-SIZE 31457280
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

As you can see, the server announces that it accepts STARTTLS among others.

Aug 15 14:50:46 ns311465 postfix/smtpd[27438]: connect from tunnel245809-pt.tunnel.tserv10.par1.ipv6.he.net[2001:470:1f12:5c0::2]
Aug 15 14:50:46 ns311465 postfix/smtpd[27438]: Anonymous TLS connection established from tunnel245809-pt.tunnel.tserv10.par1.ipv6.he.net[2001:470:1f12:5c0::2]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Aug 15 14:50:46 ns311465 postfix/smtpd[27438]: D026B63E03BF: client=tunnel245809-pt.tunnel.tserv10.par1.ipv6.he.net[2001:470:1f12:5c0::2], sasl_method=LOGIN, sasl_username=me@test-domaine.fr
Aug 15 14:50:47 ns311465 postfix/cleanup[27456]: D026B63E03BF: message-id=<>
Aug 15 14:50:47 ns311465 postfix/qmgr[25884]: D026B63E03BF: from=<pfsense@brit-hotel-fumel.fr>, size=619, nrcpt=1 (queue active)
Aug 15 14:50:47 ns311465 postfix/smtpd[27438]: disconnect from tunnel245809-pt.tunnel.tserv10.par1.ipv6.he.net[2001:470:1f12:5c0::2]

The "Anonymous TLS connection established from" on the second line states that the STARTTLS was accepted and activated.

To see what really happens, I went to /etc/inc/notices.inc, line 395 and set debug to true

		'debug' => true,

Now, when a mail is sent, the top of the page (overlapped by the GUI menu bar, so inspect the page to see all the debug info).

DEBUG: Recv: 220 PR0P264CA0026.outlook.office365.com Microsoft ESMTP MAIL Service ready at Thu, 15 Aug 2019 13:06:42 +0000
DEBUG: Send: EHLO pfsense.brit-hotel-fumel.net

DEBUG: Recv: 250-PR0P264CA0026.outlook.office365.com Hello [2001:470:1f12:5c0::2]
DEBUG: Recv: 250-SIZE 157286400
DEBUG: Recv: 250-PIPELINING
DEBUG: Recv: 250-DSN
DEBUG: Recv: 250-ENHANCEDSTATUSCODES
DEBUG: Recv: 250-STARTTLS
DEBUG: Recv: 250-8BITMIME
DEBUG: Recv: 250-BINARYMIME
DEBUG: Recv: 250-CHUNKING
DEBUG: Recv: 250 SMTPUTF8
Hello [2001:470:1f12:5c0::2]
 157286400
DEBUG: Send: STARTTLS

DEBUG: Recv: 220 2.0.0 SMTP server ready
DEBUG: Send: EHLO pfsense.brit-hotel-fumel.net

DEBUG: Recv: 250-PR0P264CA0026.outlook.office365.com Hello [2001:470:1f12:5c0::2]
DEBUG: Recv: 250-SIZE 157286400
DEBUG: Recv: 250-PIPELINING
DEBUG: Recv: 250-DSN
DEBUG: Recv: 250-ENHANCEDSTATUSCODES
DEBUG: Recv: 250-AUTH LOGIN XOAUTH2
DEBUG: Recv: 250-8BITMIME
DEBUG: Recv: 250-BINARYMIME
DEBUG: Recv: 250-CHUNKING
DEBUG: Recv: 250 SMTPUTF8
Hello [2001:470:1f12:5c0::2]
 157286400
 LOGIN XOAUTH2
DEBUG: Send: AUTH LOGIN
DEBUG: Recv: 334 VXNlcm58YhbWU6
DEBUG: Send: Z3drcm9lYkBob3RtYsdrRTNvbQ==
DEBUG: Recv: 334 UGFzc3dvdFrtlcmQ6
DEBUG: Send: aHRzZWNfTRhNDc=
DEBUG: Recv: 535 5.7.3 Authentication unsuccessful [PR0P264CA0026.FRAP264.PROD.OUTLOOK.COM]
DEBUG: Send: RSET
DEBUG: Recv: 250 2.0.0 Resetting
DEBUG: Send: QUIT
DEBUG: Recv: 221 2.0.0 Service closing transmission channel

So : SMTP.offie365.com on port 587 does announce STARTTLS compatiblity.
pfSEnse does send out STARTTLS to start an SSL connection.

Then the login fails .... (using my mail like me@test-domaone.fr as a destination).
Probably my password was wrong ....
I tested again : Check this out :

and yes, My hotmail mail account did accept the test mail from pfSense.

When I changed the "Notification E-Mail address" to some other mail, the mail was send / forwarded to this address.

So, the issue isn't an issue ^^ It works.
If the mail server is STARTTLS capable, pfSense mail (smtp) notification system will use it.

TexasOutrage

I appreciate the work you put in. It just doesn't make any sense. The problem appears to be, maybe, with two factor authentication and an application password problem. I look at it from that end, because of the wonderful job you did in proving me wrong.

TexasOutrage

Well, set it up like yours and unchecked enabled smtp over ssl/tls and validate server and it worked even with the application password. Color me confused.

Gertjan

@TexasOutrage said in Notification email settings. Allow STARTTLS option.:

unchecked enabled smtp over ssl/tls and validate

That won't work. Microsoft doesn't do SSL out of the box = port 465..
'587' means : first 'initial communication goes 'clear' over the line, SSL (after STARTSSL) starts afterwards.
Btw : as you can see above, user/password authentication happens after STARTSSL, so it's pretty secure.

I did receive a mail from them that stated that there was some 'unknown access "to my account", I granted that message with an "It was me" indication.
Afterwards, all was fine.

I'm using this myself :

which says : my mail server knows its 'me' and my pfSense knows it's 'my mail server' (because of the certs 'trusted on both sides).

Use https://www.checktls.com/ and check your own mail address (it should be all green everywhere) ^^

TexasOutrage

Well, the test email went after I unchecked the above boxes and resubmitted it with the same credentials. Don't know. I setup the connection based on your screen capture of the screen for the hotmail account, and it works. I'd have to try the debug trick and follow the bouncing mail to see exactly what it's doing, but it seems to work for the moment.

Gertjan

Note : my last image concerns my own mail server - using port 465 - thus smtp over SSL and cert checking on both side.
All this is unknown for MSN/Hotmail/Outlook.

Btw Google (gmail) dropped submission (= '587') usage and stepped over to 465 a long time ago.