email Notification login credentials not yet implimented?

Oclair

why is there not a category in the forums for email notifications?

Hey all, under email notifications I have entered the login credentials and still pfsense does not authenticate with the external email server (running postfix/dovecot on FreeBSD 11.3)

Instead it only works without logging in and I get Received-SPF: softfail which should not be relevant if it is a well behaved client logging in to send email via pop3 or imap...

Could not send the message to recipientuser@domain.ext -- Error: Failed to set sender: senderuser@domain.ext [SMTP: Invalid response code received from server (code: 530, response: 5.7.0 Must issue a STARTTLS command first)]

Does pfsense thinks it's going to relay and use credentials for host.domain and that's just that?

Are the login credentials are not yet being implemented?

This thread might be related as my mail server uses STARTTLS https://www.reddit.com/r/PFSENSE/comments/7pwzd6/notification_emails_not_working_with_starttls/

I am thinking it's just not a good idea to activate email notifications which appears at worst to send out email via cleartext on the wire, and at best should be blocked as the ip of this residential network constantly changes and the SPF will fail anyways.

smithclarkson001

This post is deleted!

Gertjan

@Oclair said in email Notification login credentials not yet implimented?:

Does pfsense thinks it's going to relay and use credentials for host.domain and that's just that?

Dono if it thinks

Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: > Blablabla 250-mail.kroeb.me
Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: > Blablabla 250-PIPELINING
Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: > Blablabla 250-SIZE 31457280
Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: > Blablabla 250-VRFY
Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: > Blablabla 250-ETRN
Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: > Blablabla 250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5
Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: > Blablabla 250-AUTH=PLAIN LOGIN CRAM-MD5 DIGEST-MD5
Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: > Blablabla 250-ENHANCEDSTATUSCODES
Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: > Blablabla 250-8BITMIME
Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: > Blablabla 250 DSN
Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: < Blablabla AUTH LOGIN

What I do know, is that when your postfix setup is instructed to ask for STARTTLS, pfSense will act on it.
As you can see, my postfix is sending a "250 STARTTLS" as a possible option.
Yours does the same ?

Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: < Blablabla STARTTLS
......
Oct 21 14:05:26 ns311465 postfix/smtpd[28285]: > Blablabla 220 2.0.0 Ready to start TLS

@Oclair said in email Notification login credentials not yet implimented?:

which appears at worst to send out email via cleartext on the wire

Yep, right.
That's why '587' or STARTTLS and all that is phasing out.
It '465' and SSL right away these days.
Up to you to make that happening, by setting up postfix the right way.

Oclair

@Gertjan said in email Notification login credentials not yet implimented?:

That's why '587' or STARTTLS and all that is phasing out.
It '465' and SSL right away these days.
Up to you to make that happening, by setting up postfix the right way.

Asshat award goes to...

Oclair

TROLLS in forums: What happens when BSD becomes the cornerstone of someone's for profit company.... Well just don't be a dick I suppose...

Gertjan

@Oclair said in email Notification login credentials not yet implimented?:

Asshat award goes to...

To no-one.

Was replying to your

at worst to send out email via cleartext ...

and I agree.

So go pure SSL == 465.
Right ? (You're in command)

Oclair

I asked a question regarding STARTTLS support in pfsense, Not if I should change my mailserver host's config

STARTTLS is not going anywhere, it is not been depreciated

the notifications implementation appears to be broken?

Gertjan

I'm using it right now :

After sending a test : mail - server side logs :

Nov  5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250-mail.*******.me
Nov  5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250-PIPELINING
Nov  5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250-SIZE 31457280
Nov  5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250-VRFY
Nov  5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250-ETRN
Nov  5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250-STARTTLS
Nov  5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250-ENHANCEDSTATUSCODES
Nov  5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250-8BITMIME
Nov  5 12:27:33 ns311465 postfix/smtpd[29808]: > mail.****.me[2001:470:1f12:xxxx::2]: 250 DSN

As you can see, my mail server sends out it's capabilities.
Among them, there is "STARTSSL".

Because the mailing system of pfSense scans the capabilities, and it found STARTSSL, it issues a STARTTLS

Nov  5 12:27:33 ns311465 postfix/smtpd[29808]: < mail.****.me[2001:470:1f12:xxxx::2]: STARTTLS
...

The TCP connection is renegotiated as an SSL connection, the entire process start over, this time encrypted.
Mail caps are send again (except STRTSSL, because SSL that mode is activated now) and the LOGIN starts :

Nov  5 12:27:33 ns311465 postfix/smtpd[29808]: < mail.****.me[2001:470:1f12:xxxx::2]: AUTH LOGIN
.....

Btw : my postfix settings for this domain, protocol submission (port 587) :

mail.*******.me:submission      inet    n       -       -       -       -       smtpd -v
  -o myhostname=mail.*****.me
  -o smtp_helo_name=mail.*****.me
  -o smtpd_tls_security_level=may
  -o smtpd_etrn_restrictions=reject
  -o smtpd_tls_cert_file=/etc/ssl/*****.me/*****.me.pem
  -o smtpd_tls_key_file=/etc/ssl/****.me/*****.me.pem
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o content_filter=amavis:[127.0.0.1]:10026
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_sasl_auth_enable=yes

The important part is the

smtpd_tls_security_level=may

setting which activated STARTSSL capabilities.

When I have some time, I could show you the same thing using gmail's mail server, also proposing submission with SSL (STARTSSL). In that case, I won't have access to the mail servers logs ;)

@Oclair said in email Notification login credentials not yet implimented?:

Not if I should change my mailserver host's config

You and I use the same "pfSense". Right ?
There are no settings on the pfSense side, except the usual mail server address and port.
What do you want me to say ?
Let's be neutral : when both sides agree, mail communication will use STARTSSL.

Another proof :
My Outlook 2010 mail client settings

As you can see, it uses "587" (submission) and the TLS (STARTTLS). Outlook can send mails just fine, doing the same thing as pfSense does.

Outlook 365 and Outlook 2016 : same result.

nikkinemo95

Why is there not a category in the forums for email notifications?

Gertjan

@nikkinemo95 said in email Notification login credentials not yet implimented?:

Why is there not a category in the forums for email notifications?

Serious ?
The answer showed up the moment you posted :

Btw : the image above isn't acutal any more.
'submission' is phasing out.
It's all port 465 now, or smtps.
The protocol setting for 'smtps' connections can be set to "Auto" as Outlook 365 will figure it out.

nikkinemo95

This post is deleted!

Oclair

Btw : the image above isn't acutal any more.
'submission' is phasing out.
It's all port 465 now, or smtps.
The protocol setting for 'smtps' connections can be set to "Auto" as Outlook 365 will figure it out.

Omg who is this guy?
This is so wrong on so many levels ...