email Notification login credentials not yet implimented?



  • why is there not a category in the forums for email notifications?

    Hey all, under email notifications I have entered the login credentials and still pfsense does not authenticate with the external email server (running postfix/dovecot on FreeBSD 11.3)

    Instead it only works without logging in and I get Received-SPF: softfail which should not be relevant if it is a well behaved client logging in to send email via pop3 or imap...

    Could not send the message to recipientuser@domain.ext -- Error: Failed to set sender: senderuser@domain.ext [SMTP: Invalid response code received from server (code: 530, response: 5.7.0 Must issue a STARTTLS command first)]

    Does pfsense thinks it's going to relay and use credentials for host.domain and that's just that?

    Are the login credentials are not yet being implemented?

    This thread might be related as my mail server uses STARTTLS https://www.reddit.com/r/PFSENSE/comments/7pwzd6/notification_emails_not_working_with_starttls/

    I am thinking it's just not a good idea to activate email notifications which appears at worst to send out email via cleartext on the wire, and at best should be blocked as the ip of this residential network constantly changes and the SPF will fail anyways.



  • @Oclair... Yeah same question...Why is there not a category in the forums for email notifications? Are the login credentials are not yet being Redtube.vin implemented?



  • @Oclair said in email Notification login credentials not yet implimented?:

    Does pfsense thinks it's going to relay and use credentials for host.domain and that's just that?

    Dono if it thinks ☺

    Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: > Blablabla 250-mail.kroeb.me
    Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: > Blablabla 250-PIPELINING
    Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: > Blablabla 250-SIZE 31457280
    Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: > Blablabla 250-VRFY
    Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: > Blablabla 250-ETRN
    Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: > Blablabla 250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5
    Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: > Blablabla 250-AUTH=PLAIN LOGIN CRAM-MD5 DIGEST-MD5
    Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: > Blablabla 250-ENHANCEDSTATUSCODES
    Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: > Blablabla 250-8BITMIME
    Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: > Blablabla 250 DSN
    Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: < Blablabla AUTH LOGIN
    

    What I do know, is that when your postfix setup is instructed to ask for STARTTLS, pfSense will act on it.
    As you can see, my postfix is sending a "250 STARTTLS" as a possible option.
    Yours does the same ?

    Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: < Blablabla STARTTLS
    ......
    Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: > Blablabla 220 2.0.0 Ready to start TLS
    

    @Oclair said in email Notification login credentials not yet implimented?:

    which appears at worst to send out email via cleartext on the wire

    Yep, right.
    That's why '587' or STARTTLS and all that is phasing out.
    It '465' and SSL right away these days.
    Up to you to make that happening, by setting up postfix the right way.



  • @Gertjan said in email Notification login credentials not yet implimented?:

    That's why '587' or STARTTLS and all that is phasing out.
    It '465' and SSL right away these days.
    Up to you to make that happening, by setting up postfix the right way.

    Asshat award goes to...



  • TROLLS in forums: What happens when BSD becomes the cornerstone of someone's for profit company.... Well just don't be a dick I suppose...



  • @Oclair said in email Notification login credentials not yet implimented?:

    Asshat award goes to...

    To no-one.

    Was replying to your

    at worst to send out email via cleartext ...

    and I agree.

    So go pure SSL == 465.
    Right ? (You're in command)



  • I asked a question regarding STARTTLS support in pfsense, Not if I should change my mailserver host's config

    STARTTLS is not going anywhere, it is not been depreciated

    the notifications implementation appears to be broken?



  • I'm using it right now :

    fc1703b1-3324-4de5-b940-6bd3d07e58b0-image.png

    After sending a test : mail - server side logs :

    Nov  5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250-mail.*******.me
    Nov  5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250-PIPELINING
    Nov  5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250-SIZE 31457280
    Nov  5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250-VRFY
    Nov  5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250-ETRN
    Nov  5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250-STARTTLS
    Nov  5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250-ENHANCEDSTATUSCODES
    Nov  5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250-8BITMIME
    Nov  5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250 DSN
    

    As you can see, my mail server sends out it's capabilities.
    Among them, there is "STARTSSL".

    Because the mailing system of pfSense scans the capabilities, and it found STARTSSL, it issues a STARTTLS

    Nov  5 12:27:33 ns311465 postfix/smtpd[29808]: < mail.****.me[2001:470:1f12:xxxx::2]: STARTTLS
    ...
    

    The TCP connection is renegotiated as an SSL connection, the entire process start over, this time encrypted.
    Mail caps are send again (except STRTSSL, because SSL that mode is activated now) and the LOGIN starts :

    Nov  5 12:27:33 ns311465 postfix/smtpd[29808]: < mail.****.me[2001:470:1f12:xxxx::2]: AUTH LOGIN
    .....
    

    Btw : my postfix settings for this domain, protocol submission (port 587) :

    mail.*******.me:submission      inet    n       -       -       -       -       smtpd -v
      -o myhostname=mail.*****.me
      -o smtp_helo_name=mail.*****.me
      -o smtpd_tls_security_level=may
      -o smtpd_etrn_restrictions=reject
      -o smtpd_tls_cert_file=/etc/ssl/*****.me/*****.me.pem
      -o smtpd_tls_key_file=/etc/ssl/****.me/*****.me.pem
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
      -o content_filter=amavis:[127.0.0.1]:10026
      -o milter_macro_daemon_name=ORIGINATING
      -o smtpd_sasl_auth_enable=yes
    

    The important part is the

    smtpd_tls_security_level=may
    

    setting which activated STARTSSL capabilities.

    When I have some time, I could show you the same thing using gmail's mail server, also proposing submission with SSL (STARTSSL). In that case, I won't have access to the mail servers logs ;)

    @Oclair said in email Notification login credentials not yet implimented?:

    Not if I should change my mailserver host's config

    You and I use the same "pfSense". Right ?
    There are no settings on the pfSense side, except the usual mail server address and port.
    What do you want me to say ?
    Let's be neutral : when both sides agree, mail communication will use STARTSSL.

    Another proof :
    My Outlook 2010 mail client settings
    7ae3552a-7723-4466-9acb-11b4e57d1f0e-image.png

    As you can see, it uses "587" (submission) and the TLS (STARTTLS). Outlook can send mails just fine, doing the same thing as pfSense does.

    Outlook 365 and Outlook 2016 : same result.


Log in to reply