pfSense Email notification
-
I am trying to get Email notification setup on my new system. This is pfSense 2.6.0 on Protectli FW2-2 hardware. The basic functions are all working but I am not succeeding with the notification setup using my home gmail. From what I see - Google is making this hard and it only going to get worse in May when they remove support for "less secure apps". The error message on test references Authentication 5.7.0. I did some looking at Yahoo and it seems they are going the same way. Does any know know of an email platform that is more friendly to third party apps or workaround to the google restrictions?
I had this working on my prior pfSense system until Google started pulling the plug on the support about 1.5 years ago.
Thanks.
-
How are you trying to use it?
There have been a few threads about this and needing to use an 'app password' rather than the main account password to avoid the MFA requirement.
Steve
-
@stephenw10 So I already have an update after reading through some of the other messages on the topic. I have it working - at least for now. The main thing is that I did not have a CA - certification authority setup. Unfortunately none of the error message or google guides ever mentioned CA to even prompt me to look at that. I set up a self signed CA. I did also find a message on the classic gmail setup which I followed - though I think I had tried that configuration. Now the only question is will it stay working after May when Google is dropping support for "less secure apps".
-
@pdrallod If your ISP doesn't block outbound port 25 you can try using your email address's MX record as a smart host, with no credentials. (basically, inbound email to yourself). Port 25 is likely blocked by most residential and many business ISPs though.
-
Port 25 ?
That port really should only be used for originating and receiving mail servers.
"Mail box clients", that you me and everybody else should use the ports reserved for that usage.Here it is :
and yes, the 'password' is not my gmail mail password.
I created years ago a password "app password ?" especially for this pfSense setup.Except for the password story, this mail setup is 100 % vanilla.
Port 465 delivering mail over TLS from the start, using identification. That's the default these days.
smtp.gmail.com looks pretty logic also.I'm not aware of the fact that gmail is going to cancel this functionality.
Automated boxes like pfSense, your hair dryer, central hating, front door cam, etc etc should not use your gmails (email) password. You have to create additional passwords, gmail will generate the for you, and you have to add some info so you will know in the future what and device is using what password. This permits you to have access to your gmail account with your own password, and remove/block/etc devices that you don't own/control any more.
Why an app or device password ?
If the device falls into wrong hands, and the password was stored in clear, you have a problem.
If you change your mail password, you have to change also all the devices where you use the same gmail password. That's tedious, and you will always forget one, which means : no more notifications from that device (and gmail gets hit with many login attempts from this device that will fail). -
@gertjan try port 587
-
@flat4 said in pfSense Email notification:
try port 587
Submission ? Why ?
Very useful in the past. 587 is old and only needed for devices that have issues with TLS. You should not use these any more.Btw : my setup works without issues, and has been crafted as per 'gmail''s mail instructions.
Submission uses non-TLS to start with, example :
220 mail.my-domain.fr ESMTP Postfix EHLO me.tld 250-mail.my-domain.fr 250-PIPELINING 250-SIZE 31457280 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250-SMTPUTF8 250 CHUNKING
mail.my-domain.fr is one of my own domain names, with a mail server.
I could enforce TLS usage at this moment, so the only command the mail client can issue is "STARTTLS". After that, the connection will be TLS. Autenfication will follow, and then the mail upload.
Or, if I'm not enforcing TLS because my client app (device) doesn't handle TLS, or just an ancient version like SSL2 or SSL3, I could accept a 'clear' mail upload.
I've no ancient devices or software any more, so I don't need 587 any more.It '465' with TLS 1.3 from bit one for me now.
Google - gmail also prefers 465 by far. -
@gertjan Just from experience 465 would not would not work so I tried 587 and it worked. At that point I didn't care if it was SSL/TLS i just needed to work,
-
@flat4 said in pfSense Email notification:
not would not work
Send email from a printer, scanner, or app
and scroll down on that page until you reach :
and unfold that part.
IMHO, option 3 is the best one.
Note : I'm not Google, don't know if they 'firewall' IPs - or whatever system they use to protect their IPs.
Btw : If really needed, even port 25 can be used. That is, if your ISP let you do so.
-
I followed this and it works:-
https://forum.netgate.com/topic/111569/howto-notifications-with-gmail-smtp
-
@gertjan I no longer use gmail but when i did, i used an app password and port 587. That's why I suggested it since port 465 would not work at that time.
-
@nogbadthebad said in pfSense Email notification:
https://forum.netgate.com/topic/111569/howto-notifications-with-gmail-smtp
#meto
That's how I created the image shown above.
-
I think OP is referring to:
https://support.google.com/accounts/answer/6010255?hl=en
"To help keep your account secure, starting May 30, 2022, Google will no longer support the use of third-party apps or devices which ask you to sign in to your Google Account using only your username and password.Please note this deadline does not apply to Google Workspace or Google Cloud Identity customers. The enforcement date for these customers will be announced on the Workspace blog at a later date."
Edit: I clicked on the sections, and it also says, "Because less secure apps can make your account more vulnerable, Google will automatically turn this setting off if it’s not being used."
and
"If "Less secure app access" is turned off for your account, you can turn it back on. We recommend switching to more secure apps instead."So that part doesn't sound at all like they're turning it off.
-
@steveits
There is also a difference between accessing the entire Google 'account' or just sending a mail.
We'll see what happens. -
See the recent note at the bottom of the docs page section on e-mail notifications:
https://docs.netgate.com/pfsense/en/latest/config/advanced-notifications.html#smtp-e-mail
Your account must have 2-step verification on and then you must create an app password for it.
I'm not sure if you could create an app password without 2FA in the past, but the first thing I'd check is to ensure that 2FA is enabled for the account. They may have locked that part down. It wouldn't surprise me if you had to make a new app password after enabling 2FA as well.
-
I just checked my account.
I'm using F2A for many years already.This is what I found :
So, I'm actually using these "App passwords", that is, my 2 pfSense are using them, as the image shows (Apr 10 & Apr 9).
-
@steveits You are correct that my original post was referring to Google's May 30, 2022 deadline turning off third party app support. I think perhaps I read more into this than I should - but we'll know for sure in about 6 weeks. In the meantime - I have set up 2FA and set up an App password for pfSense. Notification is all working well for now. Thanks to all for their advice.
I do wish pfSense provided a little more control of which notifications to send, but that is a different topic.