Mail Notification via internal mail server not working

b_chris · Jan 7, 2023, 3:34 PM

Hi,
I wanted to configure pfSense to use my internal mail server for notifications (System/Advanced/Notifcations -> E-Mail server).
Unfortunately it is not possible to use the TLD I set up in System/General Setup.
In my case my domain is ws3 an the mail server ist named mail.ws3. Unbound resolves this name.
When trying to use this server als E-Mail notification server I'm getting the error "Please enter valid E-Mail server address."

Questions:

Why is it possible to use "fake" TLDs in general but not in the notification config? Seams to be inconsistent
Can I work around this limitation? I assume if I configure the mail server via SSH in the right place it should work.

Thanks

b_chris · Jan 7, 2023, 4:09 PM

I found out, that one can work around this with a modification of the file
/usr/local/pfSense/include/www/system_advanced_notifications.inc
The function call is_fqdn is problematic in my case:

if ($validate_smtp && !is_ipaddr($post['smtpipaddress']) &&
		    !is_fqdn($post['smtpipaddress']))) {

But also working around this didn't help. When sending a test mail I receive the following error:

Could not send the message to chris@mail.ws3 -- Error: Failed to connect to ssl://mail.ws3:25 [SMTP: Failed to connect socket: stream_socket_client(): unable to connect to ssl://mail.ws3:25 (Unknown error) (code: -1, response: )]

On my mail server in mail.log I can see just the following:

connect from pfsense
lost connection after CONNECT
disconnect from pfsense

Any idea what causes this error?

viragomann · Jan 7, 2023, 7:50 PM

@b_chris
Is System > General Setup > DNS Resolution Behavior set to use the local DNS server?

If that doesn't help, state the IP in the SMTP notification settings instead of the host name.

b_chris · Jan 7, 2023, 8:42 PM

@viragomann
Hi, DNS resolution is not an issue in this case.
But I found out something different:
The problem was the setting of "Enable SMTP over SSL/TLS". It seams like this setting does not support the STARTTLS communication (my humble understanding: start an unencrypted connection on port 25; start encryption with STARTTLS, send mail).
As soon as I configure my mail server to accept unencrypted connections (means: do not enforce STARTTLS) and unchecking this options, everything works.

Question is: Is there a way to enable STARTTLS on pfSense side?

viragomann · Jan 7, 2023, 9:00 PM

@b_chris
STARTTLS is used automatically if the server provides it.

"SMTP over SSL/TLS" is what it's name let assume. It uses TLS from the beginning. This requires that the client knows the host name and the server delivers it's SSL certificate bevor the SMTP communication starts.
This protocol usually doesn't go over port 25.

b_chris · Jan 7, 2023, 9:39 PM

@viragomann
Ok, that makes sense. For testing I tried the following:

pfSense SMTP Port: 25
pfSense Enable SMTP over SSL/TLS: off
Postfix on mail server: smtpd_tls_security_level=encrypt (my understanding: this forces the use of STARTTLS)

Error message from pfSense:

Could not send the message to chris@mail.ws3 -- Error: Failed to set sender: root@pfsense.ws3 [SMTP: Invalid response code received from server (code: 530, response: 5.7.0 Must issue a STARTTLS command first)]

--> my conclusion: pfSense does not use STARTTLS

Changing the Postfix setting to smtpd_tls_security_level=may solves the issue but leads to a unsecured connection (not a real problem in my environment, but would be interesting to understand the circumstances)