Notification email settings. Allow STARTTLS option.
-
Outlook.com requires starttls to be used when connecting to their smtp server. It uses port 587 and when using that port, gmail.com also requires that. If you use 465, it looks like gmail.com will accept standard ssl/tls connections. It works for gmail using port 465, but it's documented for outlook.com that starttls is required.
-
-
Yeah, it mentions exactly what I'm talking about. He couldn't get it to work with outlook.com on port 587. I'm not going to communicate with a mail server without using tls.
-
@TexasOutrage said in Notification email settings. Allow STARTTLS option.:
I'm not going to communicate with a mail server without using tls.
The big ones, like outlook, gmail, etc even won't let you NOT using some SSL
I just tried making it work - I have an ancient hotmail account. After some tries, I noticed that 'outlook' sended me a mail that there was "suspicious" activity.
I told them it ws "me".
Activated POP support (and thus smtp).True, they want STARTTLS on 587 ..... pfSense dropped that probably.
Well, ok, that's their issue then, I went back to my own mail server (465 is smtps ) like gmail, works also great (free pop ups on your phone are for free with the gmail App ^^) -
@Gertjan Yes, and that's all I was saying with my initial post. It needs a StartTLS option to communicate with a lot of current email servers. Gmail on port 465 doesn't use starttls, but 587 does. Starttls is supposedly more secure than the traditional method. That's why they require it on those ports. I mean freenas supports it and it's based on the same base os. So I can use outlook for freenas but I have to move to gmail for notifications for my firewall. Doesn't make a whole lot of sense, does it?
-
@TexasOutrage said in Notification email settings. Allow STARTTLS option.:
It needs a StartTLS option to communicate with a lot of current email servers.
I had some time to check what happens.
I do own my own mail server, and normally my mail clients are using '465' (smtp over SSL).
But 'submission' (port 587) also works.220 mail.test-domaine.fr ESMTP Postfix EHLO me.tld 250-mail.test-domaine.fr 250-PIPELINING 250-SIZE 31457280 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
As you can see, the server announces that it accepts STARTTLS among others.
Aug 15 14:50:46 ns311465 postfix/smtpd[27438]: connect from tunnel245809-pt.tunnel.tserv10.par1.ipv6.he.net[2001:470:1f12:5c0::2] Aug 15 14:50:46 ns311465 postfix/smtpd[27438]: Anonymous TLS connection established from tunnel245809-pt.tunnel.tserv10.par1.ipv6.he.net[2001:470:1f12:5c0::2]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) Aug 15 14:50:46 ns311465 postfix/smtpd[27438]: D026B63E03BF: client=tunnel245809-pt.tunnel.tserv10.par1.ipv6.he.net[2001:470:1f12:5c0::2], sasl_method=LOGIN, sasl_username=me@test-domaine.fr Aug 15 14:50:47 ns311465 postfix/cleanup[27456]: D026B63E03BF: message-id=<> Aug 15 14:50:47 ns311465 postfix/qmgr[25884]: D026B63E03BF: from=<pfsense@brit-hotel-fumel.fr>, size=619, nrcpt=1 (queue active) Aug 15 14:50:47 ns311465 postfix/smtpd[27438]: disconnect from tunnel245809-pt.tunnel.tserv10.par1.ipv6.he.net[2001:470:1f12:5c0::2]
The "Anonymous TLS connection established from" on the second line states that the STARTTLS was accepted and activated.
To see what really happens, I went to /etc/inc/notices.inc, line 395 and set debug to true
'debug' => true,
Now, when a mail is sent, the top of the page (overlapped by the GUI menu bar, so inspect the page to see all the debug info).
DEBUG: Recv: 220 PR0P264CA0026.outlook.office365.com Microsoft ESMTP MAIL Service ready at Thu, 15 Aug 2019 13:06:42 +0000 DEBUG: Send: EHLO pfsense.brit-hotel-fumel.net DEBUG: Recv: 250-PR0P264CA0026.outlook.office365.com Hello [2001:470:1f12:5c0::2] DEBUG: Recv: 250-SIZE 157286400 DEBUG: Recv: 250-PIPELINING DEBUG: Recv: 250-DSN DEBUG: Recv: 250-ENHANCEDSTATUSCODES DEBUG: Recv: 250-STARTTLS DEBUG: Recv: 250-8BITMIME DEBUG: Recv: 250-BINARYMIME DEBUG: Recv: 250-CHUNKING DEBUG: Recv: 250 SMTPUTF8 Hello [2001:470:1f12:5c0::2] 157286400 DEBUG: Send: STARTTLS DEBUG: Recv: 220 2.0.0 SMTP server ready DEBUG: Send: EHLO pfsense.brit-hotel-fumel.net DEBUG: Recv: 250-PR0P264CA0026.outlook.office365.com Hello [2001:470:1f12:5c0::2] DEBUG: Recv: 250-SIZE 157286400 DEBUG: Recv: 250-PIPELINING DEBUG: Recv: 250-DSN DEBUG: Recv: 250-ENHANCEDSTATUSCODES DEBUG: Recv: 250-AUTH LOGIN XOAUTH2 DEBUG: Recv: 250-8BITMIME DEBUG: Recv: 250-BINARYMIME DEBUG: Recv: 250-CHUNKING DEBUG: Recv: 250 SMTPUTF8 Hello [2001:470:1f12:5c0::2] 157286400 LOGIN XOAUTH2 DEBUG: Send: AUTH LOGIN DEBUG: Recv: 334 VXNlcm58YhbWU6 DEBUG: Send: Z3drcm9lYkBob3RtYsdrRTNvbQ== DEBUG: Recv: 334 UGFzc3dvdFrtlcmQ6 DEBUG: Send: aHRzZWNfTRhNDc= DEBUG: Recv: 535 5.7.3 Authentication unsuccessful [PR0P264CA0026.FRAP264.PROD.OUTLOOK.COM] DEBUG: Send: RSET DEBUG: Recv: 250 2.0.0 Resetting DEBUG: Send: QUIT DEBUG: Recv: 221 2.0.0 Service closing transmission channel
So : SMTP.offie365.com on port 587 does announce STARTTLS compatiblity.
pfSEnse does send out STARTTLS to start an SSL connection.Then the login fails .... (using my mail like me@test-domaone.fr as a destination).
Probably my password was wrong ....
I tested again : Check this out :and yes, My hotmail mail account did accept the test mail from pfSense.
When I changed the "Notification E-Mail address" to some other mail, the mail was send / forwarded to this address.
So, the issue isn't an issue ^^ It works.
If the mail server is STARTTLS capable, pfSense mail (smtp) notification system will use it. -
I appreciate the work you put in. It just doesn't make any sense. The problem appears to be, maybe, with two factor authentication and an application password problem. I look at it from that end, because of the wonderful job you did in proving me wrong.
-
Well, set it up like yours and unchecked enabled smtp over ssl/tls and validate server and it worked even with the application password. Color me confused.
-
@TexasOutrage said in Notification email settings. Allow STARTTLS option.:
unchecked enabled smtp over ssl/tls and validate
That won't work. Microsoft doesn't do SSL out of the box = port 465..
'587' means : first 'initial communication goes 'clear' over the line, SSL (after STARTSSL) starts afterwards.
Btw : as you can see above, user/password authentication happens after STARTSSL, so it's pretty secure.I did receive a mail from them that stated that there was some 'unknown access "to my account", I granted that message with an "It was me" indication.
Afterwards, all was fine.I'm using this myself :
which says : my mail server knows its 'me' and my pfSense knows it's 'my mail server' (because of the certs 'trusted on both sides).
Use https://www.checktls.com/ and check your own mail address (it should be all green everywhere) ^^
-
Well, the test email went after I unchecked the above boxes and resubmitted it with the same credentials. Don't know. I setup the connection based on your screen capture of the screen for the hotmail account, and it works. I'd have to try the debug trick and follow the bouncing mail to see exactly what it's doing, but it seems to work for the moment.
-
Note : my last image concerns my own mail server - using port 465 - thus smtp over SSL and cert checking on both side.
All this is unknown for MSN/Hotmail/Outlook.Btw Google (gmail) dropped submission (= '587') usage and stepped over to 465 a long time ago.