email Notification login credentials not yet implimented?
-
why is there not a category in the forums for email notifications?
Hey all, under email notifications I have entered the login credentials and still pfsense does not authenticate with the external email server (running postfix/dovecot on FreeBSD 11.3)
Instead it only works without logging in and I get Received-SPF: softfail which should not be relevant if it is a well behaved client logging in to send email via pop3 or imap...
Could not send the message to recipientuser@domain.ext -- Error: Failed to set sender: senderuser@domain.ext [SMTP: Invalid response code received from server (code: 530, response: 5.7.0 Must issue a STARTTLS command first)]
Does pfsense thinks it's going to relay and use credentials for host.domain and that's just that?
Are the login credentials are not yet being implemented?
This thread might be related as my mail server uses STARTTLS https://www.reddit.com/r/PFSENSE/comments/7pwzd6/notification_emails_not_working_with_starttls/
I am thinking it's just not a good idea to activate email notifications which appears at worst to send out email via cleartext on the wire, and at best should be blocked as the ip of this residential network constantly changes and the SPF will fail anyways.
-
smithclarkson001 Bannedlast edited by smithclarkson001 Feb 28, 2020, 10:01 PM Oct 20, 2019, 1:28 PM
This post is deleted! -
@Oclair said in email Notification login credentials not yet implimented?:
Does pfsense thinks it's going to relay and use credentials for host.domain and that's just that?
Dono if it thinks
Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: > Blablabla 250-mail.kroeb.me Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: > Blablabla 250-PIPELINING Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: > Blablabla 250-SIZE 31457280 Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: > Blablabla 250-VRFY Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: > Blablabla 250-ETRN Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: > Blablabla 250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: > Blablabla 250-AUTH=PLAIN LOGIN CRAM-MD5 DIGEST-MD5 Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: > Blablabla 250-ENHANCEDSTATUSCODES Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: > Blablabla 250-8BITMIME Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: > Blablabla 250 DSN Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: < Blablabla AUTH LOGIN
What I do know, is that when your postfix setup is instructed to ask for STARTTLS, pfSense will act on it.
As you can see, my postfix is sending a "250 STARTTLS" as a possible option.
Yours does the same ?Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: < Blablabla STARTTLS ...... Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: > Blablabla 220 2.0.0 Ready to start TLS
@Oclair said in email Notification login credentials not yet implimented?:
which appears at worst to send out email via cleartext on the wire
Yep, right.
That's why '587' or STARTTLS and all that is phasing out.
It '465' and SSL right away these days.
Up to you to make that happening, by setting up postfix the right way. -
@Gertjan said in email Notification login credentials not yet implimented?:
That's why '587' or STARTTLS and all that is phasing out.
It '465' and SSL right away these days.
Up to you to make that happening, by setting up postfix the right way.Asshat award goes to...
-
TROLLS in forums: What happens when BSD becomes the cornerstone of someone's for profit company.... Well just don't be a dick I suppose...
-
@Oclair said in email Notification login credentials not yet implimented?:
Asshat award goes to...
To no-one.
Was replying to your
at worst to send out email via cleartext ...
and I agree.
So go pure SSL == 465.
Right ? (You're in command) -
I asked a question regarding STARTTLS support in pfsense, Not if I should change my mailserver host's config
STARTTLS is not going anywhere, it is not been depreciated
the notifications implementation appears to be broken?
-
I'm using it right now :
After sending a test : mail - server side logs :
Nov 5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250-mail.*******.me Nov 5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250-PIPELINING Nov 5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250-SIZE 31457280 Nov 5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250-VRFY Nov 5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250-ETRN Nov 5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250-STARTTLS Nov 5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250-ENHANCEDSTATUSCODES Nov 5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250-8BITMIME Nov 5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250 DSN
As you can see, my mail server sends out it's capabilities.
Among them, there is "STARTSSL".Because the mailing system of pfSense scans the capabilities, and it found STARTSSL, it issues a STARTTLS
Nov 5 12:27:33 ns311465 postfix/smtpd[29808]: < mail.****.me[2001:470:1f12:xxxx::2]: STARTTLS ...
The TCP connection is renegotiated as an SSL connection, the entire process start over, this time encrypted.
Mail caps are send again (except STRTSSL, because SSL that mode is activated now) and the LOGIN starts :Nov 5 12:27:33 ns311465 postfix/smtpd[29808]: < mail.****.me[2001:470:1f12:xxxx::2]: AUTH LOGIN .....
Btw : my postfix settings for this domain, protocol submission (port 587) :
mail.*******.me:submission inet n - - - - smtpd -v -o myhostname=mail.*****.me -o smtp_helo_name=mail.*****.me -o smtpd_tls_security_level=may -o smtpd_etrn_restrictions=reject -o smtpd_tls_cert_file=/etc/ssl/*****.me/*****.me.pem -o smtpd_tls_key_file=/etc/ssl/****.me/*****.me.pem -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o content_filter=amavis:[127.0.0.1]:10026 -o milter_macro_daemon_name=ORIGINATING -o smtpd_sasl_auth_enable=yes
The important part is the
smtpd_tls_security_level=may
setting which activated STARTSSL capabilities.
When I have some time, I could show you the same thing using gmail's mail server, also proposing submission with SSL (STARTSSL). In that case, I won't have access to the mail servers logs ;)
@Oclair said in email Notification login credentials not yet implimented?:
Not if I should change my mailserver host's config
You and I use the same "pfSense". Right ?
There are no settings on the pfSense side, except the usual mail server address and port.
What do you want me to say ?
Let's be neutral : when both sides agree, mail communication will use STARTSSL.Another proof :
My Outlook 2010 mail client settings
As you can see, it uses "587" (submission) and the TLS (STARTTLS). Outlook can send mails just fine, doing the same thing as pfSense does.
Outlook 365 and Outlook 2016 : same result.
-
Why is there not a category in the forums for email notifications?
-
@nikkinemo95 said in email Notification login credentials not yet implimented?:
Why is there not a category in the forums for email notifications?
Serious ?
The answer showed up the moment you posted :Btw : the image above isn't acutal any more.
'submission' is phasing out.
It's all port 465 now, or smtps.
The protocol setting for 'smtps' connections can be set to "Auto" as Outlook 365 will figure it out. -
This post is deleted! -
Btw : the image above isn't acutal any more.
'submission' is phasing out.
It's all port 465 now, or smtps.
The protocol setting for 'smtps' connections can be set to "Auto" as Outlook 365 will figure it out.Omg who is this guy?
This is so wrong on so many levels ...