Notification email settings. Allow STARTTLS option.



  • Outlook.com requires starttls to be used when connecting to their smtp server. It uses port 587 and when using that port, gmail.com also requires that. If you use 465, it looks like gmail.com will accept standard ssl/tls connections. It works for gmail using port 465, but it's documented for outlook.com that starttls is required.





  • Yeah, it mentions exactly what I'm talking about. He couldn't get it to work with outlook.com on port 587. I'm not going to communicate with a mail server without using tls.



  • @TexasOutrage said in Notification email settings. Allow STARTTLS option.:

    I'm not going to communicate with a mail server without using tls.

    The big ones, like outlook, gmail, etc even won't let you NOT using some SSL

    I just tried making it work - I have an ancient hotmail account. After some tries, I noticed that 'outlook' sended me a mail that there was "suspicious" activity.
    I told them it ws "me".
    Activated POP support (and thus smtp).

    True, they want STARTTLS on 587 ..... pfSense dropped that probably.
    Well, ok, that's their issue then, I went back to my own mail server (465 is smtps ) like gmail, works also great (free pop ups on your phone are for free with the gmail App ^^)



  • @Gertjan Yes, and that's all I was saying with my initial post. It needs a StartTLS option to communicate with a lot of current email servers. Gmail on port 465 doesn't use starttls, but 587 does. Starttls is supposedly more secure than the traditional method. That's why they require it on those ports. I mean freenas supports it and it's based on the same base os. So I can use outlook for freenas but I have to move to gmail for notifications for my firewall. Doesn't make a whole lot of sense, does it?



  • @TexasOutrage said in Notification email settings. Allow STARTTLS option.:

    It needs a StartTLS option to communicate with a lot of current email servers.

    I had some time to check what happens.

    I do own my own mail server, and normally my mail clients are using '465' (smtp over SSL).
    But 'submission' (port 587) also works.

    220 mail.test-domaine.fr ESMTP Postfix
    EHLO me.tld
    250-mail.test-domaine.fr
    250-PIPELINING
    250-SIZE 31457280
    250-VRFY
    250-ETRN
    250-STARTTLS
    250-AUTH PLAIN LOGIN
    250-AUTH=PLAIN LOGIN
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250 DSN
    

    As you can see, the server announces that it accepts STARTTLS among others.

    Aug 15 14:50:46 ns311465 postfix/smtpd[27438]: connect from tunnel245809-pt.tunnel.tserv10.par1.ipv6.he.net[2001:470:1f12:5c0::2]
    Aug 15 14:50:46 ns311465 postfix/smtpd[27438]: Anonymous TLS connection established from tunnel245809-pt.tunnel.tserv10.par1.ipv6.he.net[2001:470:1f12:5c0::2]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
    Aug 15 14:50:46 ns311465 postfix/smtpd[27438]: D026B63E03BF: client=tunnel245809-pt.tunnel.tserv10.par1.ipv6.he.net[2001:470:1f12:5c0::2], sasl_method=LOGIN, sasl_username=me@test-domaine.fr
    Aug 15 14:50:47 ns311465 postfix/cleanup[27456]: D026B63E03BF: message-id=<>
    Aug 15 14:50:47 ns311465 postfix/qmgr[25884]: D026B63E03BF: from=<pfsense@brit-hotel-fumel.fr>, size=619, nrcpt=1 (queue active)
    Aug 15 14:50:47 ns311465 postfix/smtpd[27438]: disconnect from tunnel245809-pt.tunnel.tserv10.par1.ipv6.he.net[2001:470:1f12:5c0::2]
    

    The "Anonymous TLS connection established from" on the second line states that the STARTTLS was accepted and activated.

    To see what really happens, I went to /etc/inc/notices.inc, line 395 and set debug to true

    		'debug' => true,
    

    Now, when a mail is sent, the top of the page (overlapped by the GUI menu bar, so inspect the page to see all the debug info).

    DEBUG: Recv: 220 PR0P264CA0026.outlook.office365.com Microsoft ESMTP MAIL Service ready at Thu, 15 Aug 2019 13:06:42 +0000
    DEBUG: Send: EHLO pfsense.brit-hotel-fumel.net
    
    DEBUG: Recv: 250-PR0P264CA0026.outlook.office365.com Hello [2001:470:1f12:5c0::2]
    DEBUG: Recv: 250-SIZE 157286400
    DEBUG: Recv: 250-PIPELINING
    DEBUG: Recv: 250-DSN
    DEBUG: Recv: 250-ENHANCEDSTATUSCODES
    DEBUG: Recv: 250-STARTTLS
    DEBUG: Recv: 250-8BITMIME
    DEBUG: Recv: 250-BINARYMIME
    DEBUG: Recv: 250-CHUNKING
    DEBUG: Recv: 250 SMTPUTF8
    Hello [2001:470:1f12:5c0::2]
     157286400
    DEBUG: Send: STARTTLS
    
    DEBUG: Recv: 220 2.0.0 SMTP server ready
    DEBUG: Send: EHLO pfsense.brit-hotel-fumel.net
    
    DEBUG: Recv: 250-PR0P264CA0026.outlook.office365.com Hello [2001:470:1f12:5c0::2]
    DEBUG: Recv: 250-SIZE 157286400
    DEBUG: Recv: 250-PIPELINING
    DEBUG: Recv: 250-DSN
    DEBUG: Recv: 250-ENHANCEDSTATUSCODES
    DEBUG: Recv: 250-AUTH LOGIN XOAUTH2
    DEBUG: Recv: 250-8BITMIME
    DEBUG: Recv: 250-BINARYMIME
    DEBUG: Recv: 250-CHUNKING
    DEBUG: Recv: 250 SMTPUTF8
    Hello [2001:470:1f12:5c0::2]
     157286400
     LOGIN XOAUTH2
    DEBUG: Send: AUTH LOGIN
    DEBUG: Recv: 334 VXNlcm58YhbWU6
    DEBUG: Send: Z3drcm9lYkBob3RtYsdrRTNvbQ==
    DEBUG: Recv: 334 UGFzc3dvdFrtlcmQ6
    DEBUG: Send: aHRzZWNfTRhNDc=
    DEBUG: Recv: 535 5.7.3 Authentication unsuccessful [PR0P264CA0026.FRAP264.PROD.OUTLOOK.COM]
    DEBUG: Send: RSET
    DEBUG: Recv: 250 2.0.0 Resetting
    DEBUG: Send: QUIT
    DEBUG: Recv: 221 2.0.0 Service closing transmission channel
    

    So : SMTP.offie365.com on port 587 does announce STARTTLS compatiblity.
    pfSEnse does send out STARTTLS to start an SSL connection.

    Then the login fails .... (using my mail like me@test-domaone.fr as a destination).
    Probably my password was wrong ....
    I tested again : Check this out :

    4501fd7c-d96b-4e6d-b357-b37774a978f2-image.png

    and yes, My hotmail mail account did accept the test mail from pfSense.

    When I changed the "Notification E-Mail address" to some other mail, the mail was send / forwarded to this address.

    So, the issue isn't an issue ^^ It works.
    If the mail server is STARTTLS capable, pfSense mail (smtp) notification system will use it.



  • I appreciate the work you put in. It just doesn't make any sense. The problem appears to be, maybe, with two factor authentication and an application password problem. I look at it from that end, because of the wonderful job you did in proving me wrong. 😀



  • Well, set it up like yours and unchecked enabled smtp over ssl/tls and validate server and it worked even with the application password. Color me confused.



  • @TexasOutrage said in Notification email settings. Allow STARTTLS option.:

    unchecked enabled smtp over ssl/tls and validate

    That won't work. Microsoft doesn't do SSL out of the box = port 465..
    '587' means : first 'initial communication goes 'clear' over the line, SSL (after STARTSSL) starts afterwards.
    Btw : as you can see above, user/password authentication happens after STARTSSL, so it's pretty secure.

    I did receive a mail from them that stated that there was some 'unknown access "to my account", I granted that message with an "It was me" indication.
    Afterwards, all was fine.

    I'm using this myself :

    be43c769-bf48-4055-a58b-081e0e85d3d1-image.png

    which says : my mail server knows its 'me' and my pfSense knows it's 'my mail server' (because of the certs 'trusted on both sides).

    Use https://www.checktls.com/ and check your own mail address (it should be all green everywhere) ^^



  • Well, the test email went after I unchecked the above boxes and resubmitted it with the same credentials. Don't know. I setup the connection based on your screen capture of the screen for the hotmail account, and it works. I'd have to try the debug trick and follow the bouncing mail to see exactly what it's doing, but it seems to work for the moment.



  • Note : my last image concerns my own mail server - using port 465 - thus smtp over SSL and cert checking on both side.
    All this is unknown for MSN/Hotmail/Outlook.

    Btw Google (gmail) dropped submission (= '587') usage and stepped over to 465 a long time ago.


Log in to reply