Cant reach my imap server

Modesty · Sep 17, 2020, 2:39 PM

Hi

i have probably enebled somthing in pfSense that make my imap mail unstable

Some days I receiv mail som other I dont. On my phone it works all the time...

I connect to mail.myserver.com, and provider asks me to use port 587 for outgoing and 143 for incoming. And this setting has worked for the last years.

Any tip to give me?

Here is whats running on pfSense
login-to-view

Raffi_ · Sep 17, 2020, 1:57 PM

That could be due to many reasons. We don't have much information go on, but from what you have provided the one thing I can think of that might create intermittent issues is your Snort install. Depending on how Snort is configured it can very easily flag legitimate traffic as a false positive. That would prevent traffic from temporarily flowing to a specific IP such as your imap server. When you run into this issue, take a look at your block list in Snort. If you have any entries in there try to see if your server IP is listed there. Clear that entry if you can identify it. If you don't know the server IP, try clearing all entries and see if mail is suddenly restored.

viragomann · Sep 17, 2020, 2:39 PM

@MOdesty said in Cant reach my imap server:

and provider asks me to use port 587 for outgoing and 143 for incoming.

Are you connecting to the IMAP unencrypted?

Raffi_ · Sep 17, 2020, 2:50 PM

@viragomann said in Cant reach my imap server:

Are you connecting to the IMAP unencrypted?

That is scary. @MOdesty I would look for another provider if that is the case.

Modesty · Sep 17, 2020, 2:59 PM

thanks @Raffi_ and @viragomann

Well, I have had trouble connecting so its unencrypted. This is a mail account I don't use much...
I call them and ask how to enable encryption.

I disabled Snort, but still cant connect whit 'telnet mail.mydomain.com 587' and 'mail.mydomain.com 144'

I know its not much info Isupply, but I'm not a FW expert...

Can I make some logging to show you guys?

DaddyGo · Sep 17, 2020, 3:01 PM

@viragomann said in Cant reach my imap server:

Are you connecting to the IMAP unencrypted?

587 you just leave it, as it can be STARTTLS
but the 143 naked as the head of a bald man

993 and 465 well they prefer

Raffi_ · Sep 17, 2020, 3:02 PM

@MOdesty said in Cant reach my imap server:

I disabled Snort, but still cant connect whit 'telnet mail.mydomain.com 587' and 'mail.mydomain.com 144'

I asked you to try going to the block list and removing the entries for a reason. Disabling Snort, does not do the same thing. If you have entries being blocked by snort, disabling snort does not allow traffic to those entries, they are still blocked. You MUST go to Snort and clear the block list to restore that traffic.

Raffi_ · Sep 17, 2020, 3:03 PM

@DaddyGo said in Cant reach my imap server:

but the 143 naked as the head of a bald man

DaddyGo · Sep 17, 2020, 3:09 PM

@Raffi_ said in Cant reach my imap server:

You MUST go to Snort

when I first saw the post immediately jumped into Snort issue and if IMAP / SMTP related rules are installed without reason this will be the possible case,....hmmm

login-to-view

Raffi_ · Sep 17, 2020, 3:17 PM

@MOdesty if you are not familiar with how Snort works, I would highly recommend running it as an IDS (intrusion detection mode) initially. My suggestions above are assuming you're running it as an IPS (intrusion prevention mode) which would block on alerts.

DaddyGo · Sep 17, 2020, 3:22 PM

@MOdesty said in Cant reach my imap server:

I call them and ask how to enable encryption.

it is usually enough to change the ports + Auth., as every serious mail provider uses more than one ports ...

it is also true that, the serious email service providers....
unencrypted ports have already been closed

like here:

login-to-view

or here:

login-to-view

Modesty · Oct 9, 2020, 7:25 AM

Hi
i hope i can get some more help...

I have changed to imap 993/ssl + 465/ssl, it works when on shared 4g WLAN, NOT on pfSense

I have disabled all pfSense pakages, did not work

I have restored pfSense backup from desember 2019 (at that time all was working)

My imap mail service provider states that certificate is not for me alone, but for all their mail customers, it is a letsEncrypt, seems to work because it works on my phone + on my computer when on other wlan that my pfSense box.

Another odd thing, my Samsung phone with samsung mail works as my computer (works not) when phone and PC usese wlan from my pfSense.
On my phone i installed outlook and that client manage to receive mail when on same lan as PC, pfSense box., why?

Any ideas to search for solutions?

Gertjan · Oct 9, 2020, 8:02 AM

@MOdesty said in Cant reach my imap server:

Another odd thing, my Samsung phone with samsung mail works as my computer (works not) when phone and PC usese wlan from my pfSense.
On my phone i installed outlook and that client manage to receive mail when on same lan as PC, pfSense box., why?

Your saying : your Phone, using the local WLAN or Wifi, so behind pfSense on a LAN, can access the mail, but the PC on the same LAN, can not ?
This excludes pfSense as an issue.

Suddenly, you mention the word 'certificate' here.

@MOdesty said in Cant reach my imap server:

My imap mail service provider states that certificate is not for me alone

Why are you thinking the (a ?) certificate is just made for you ?
Why ? What error ?
Are you able to makes screen captures of the issues ? And Ctrl-C Ctrl-V them here in the forum ?

login-to-view

@MOdesty said in Cant reach my imap server:

Any ideas to search for solutions?

Yeah. You already said it yourself :

Everything can be rebuilt!

Squid, squidGuard, Snort, iPerf, clamd (and c-icap) are packages that go well beyond 'classic' router/firewall setup **

Better yet : for http, https, pop,pops, imaps,ssh, ntp, etc, actuallu, any port between 1 and 65535, to any addresses situated at the Internet, for TCP, UDP you do not need to add, remove or change something.
Set up pfSense by making WAN work, and you'll be good.

Mail access is something that should be done in the device(s), where your mail clients are. Nothing has to be done on pfSense.

** It's said that some video documentation on the Internet shows the usage of some packages, giving the impression that you can intercept traffic that flows through the router. You can't. As the KGB, Mossad, CIA, NSA can't neither.
For valid video sources : see the Netgate => Youtube videos (only).

Modesty · Oct 10, 2020, 5:46 AM

Hi

Well, it can be rebuilt, and a backup from 2019 is that, did unfortunate not help this time.

this is the only error I manage to find:

login-to-view

the big question is why my computer reach mail server when on OFFICE LAN and not on HOME LAN? Same internet provider (get.no) and same mail provider. Only difference is router config:
HOME pfSense + bridged get.no router
WORK only get.no router.

Reason I mention SSL certificate is that it is information you forum useres may understand and connect to my mail issue. Mail provider write on his home page:

"Use of encryption (SSL)

If you wish, you can use encrypted connection to the mail server. Note, however, that your e-mail server does not have its own so-called SSL certificate, but shares this with other customers. You will thus get a warning in your e-mail reader the first time you activate SSL which says that the certificate does not match your domain name. You must accept the certificate then presented before you can use SSL."