SMTP server on pfSense.

apetrenko

Hi all,

How to install SMTP relay/server on pfSense?
Trying to use postfix from FreeBSD, but there are many troubles with libraries, utils, etc.

Just curious, why Squid or sipproxy are available on PFSENSE, but nothing like mail relay. it would be great to know a reason why.

Thank you,
Andy

biggsy

@apetrenko said in SMTP server on pfSense.:

How to install SMTP relay/server on pfSense?

See this thread

apetrenko

Funny! Squid, FreeRadius server, and ntop-ng belong to the firewall, but postfix -- not. I have ~200 IPMI interfaces and each of them need to send logs to port 25 to plain SMTP. And I have to install a dedicated VM or server for that?

Common, guys, Be realistic: if it is router/firewall -- remove all the stuff which not belong to the packet filter, and add CLI in Vayatta style. Add postfix there if it is a bit more than the IPFW box.

Gertjan

@apetrenko said in SMTP server on pfSense.:

Funny! Squid, FreeRadius server, and ntop-ng belong to the firewall

You're right. A firewall should be a firewall. Nothing else.
Adding Squid and/or FreeRadius is possible because non-Netgate users created it.
The pfSense FreeRadius package is a severe stripped down real Radius version, the GUI really limits the usage.
As FreeRadius is often used to grant access to 'some' (not thousands) of pfSense admins, or some portals users, or some OpenVPN clients, it's doing often 'close to nothing'.
Squid : check out the squid support and description : it doesn't belong on a firewall at all.
But hey, pfSense wants to be a swiss army knife solution among firewalls. So, why not.

I'm using it (FreeRadius) actually, as it permits me not to spin of yet another VM with a dedicated Radius instance. I could use the build in pfSense user manager.

@apetrenko said in SMTP server on pfSense.:

Common, guys, Be realistic: if it is router/firewall -- remove all the stuff which not belong to the packet filter, and add CLI in Vayatta style. Add postfix there if it is a bit more than the IPFW box.

Well ..... Yeah !!! I vote for that.
I'm pretty sure also Netgate agrees with you. Its one of the reasons they created TNSR.

The thing is, many packages are created by 'not Netgate' people. Packages are proposed, and, if they pass the tests, can be integrated into pfSense.
On of the questions asked, will be : who supports what ?
A program like postfix is many times bigger as pfSense itself. So will be the support.
Because the author of the ancient pfSense package stopped supporting it, Netgate ditched the postfix package - they don't have the resources supporting that package.
( again : I'm just another happy pfSense user, and have no affiliation with them )

I'm using postfix myself for years. But not on the company's network behind 'some ISP', as that would severaly criple my mail-send capabilities but on a dedicated bare bone classic server. Multi IPv4/IPv6 multi home, with a mysql backend for the domains, addresses etc.
A postfix setup is simple, and also huge.
=> Image it, write the GUI in front of postfix ..... many have tried, they all ... well, we didn't see them back.

And IMHO, no need to put a pfSense in front of my mail server.
When your needs are not industrial, a one digit $ / month VPS will work just fine.

Also : pfSense is not FreeBSD. It uses FreeBSD as a OS foundation.

apetrenko

@gertjan

For the most popular project, it should be a kind of "back-compatibility". For pfSense 2.4 I had postfix, for 2.5.2 and 2.6 I have no. What else will be removed in 2.7?

No support for GUI -- I'm fine with that. Just allow to install binaries, and manually configure them.

And I'm not really happy "pfsense user". But I have what I have. Biggest concerns:

1. No gitops support. You can't prepare plaintext configuration files and import them to pfSense. All configuration is stored with the single configuration XML file. And yes, XML is another pain.
2. No automation. if you need to create 100+ users for the OpenVPN server with certificates your day will be a nightmare. Some automation can be done using 3rd party API package, like https://github.com/jaredhendrickson13/pfsense-api but not 100%.
3. No automation provisioning for corps. if you have 90% new hire provisioning done by some internal automation or SSO, for VPN you need to spend some time clicking the mouse buttons and traveling web forms (a new generation of ops really happy with that) for creating the new user.
4. Bad support for 2.6. YES, BAD SUPPORT FOR THE EXISTING PRODUCTION VERSION. Example: just try to disable OpenVPN server in 2.6. For 2.5 it works well. (https://forum.netgate.com/topic/173004/cannot-disable-an-openvpn-instance-while-the-interface-is-assigned-remove-the-interface-assignment-first). There is 100% regression but developers do not care... Another example: https://redmine.pfsense.org/issues/12803

I can add a few more concerns, but they are minor compared with previous ones.

And yes, I can install "unofficial postfix" to the pfsense box. Some manual polishing (Like SASL remote relay Auth) is required, but in general, it works.

let me know, if you need how to of postfix installation.

Good luck!

Gertjan

@apetrenko

1 : one centralized file : isn't that strong point of what pfSense is ? Most do'nt even know what XML is - and who cares how it is stored ?

4 : 2.6.0 worked for me, and I'm even using it @home. I left 2.6.0 for 23.01.

2 & 3 : maybe pfSense doesn't cover your needs. Big OpenVPN needs over a GUI seems a pain to me, true.

@apetrenko said in SMTP server on pfSense.:

let me know, if you need how to of postfix installation.

I think I'm good, thanks.

Daniel_Hyde

@apetrenko

Would a web based relay not work?
How many emails per day would you send?

Thanks
Dan

apetrenko

@gertjan No automation/cli is a terrible thing. Even mikrotik RouterOS and vayatta have it.

And one day sentence "it works for me" kill our civilization.

apetrenko

@daniel_hyde It works, doing deeper testing.
About the e-mail: I need to send 1-10 e-mails, it is iPMI/iDRAC alerting which can use only plain SMTP to port 25.

Daniel_Hyde

@apetrenko

You can get cloud based relays that can do this, you can pick the port you send on and whether you want or encryption or not.

Thanks
Dan

Gertjan

@apetrenko said in SMTP server on pfSense.:

I need to send 1-10 e-mails,

A postfix server for

... to send 1-10 e-mails (per day)

why not ditching them into a gmail ? Free phone popup notification as a bonus.

apetrenko

@gertjan because you will be surprised when you will try to set it up for iDRAC on Dell Server -- it can send only to plain SMTP to port 25.

rcoleman-netgate

@apetrenko You don't want to run SMTP services on your firewall. You could make a VPN tunnel and route SMTP that way if you have to. That's what I've done with mine.

SteveITS

@apetrenko said in SMTP server on pfSense.:

I have ~200 IPMI interfaces and each of them need to send logs to port 25 to plain SMTP.

I would use a hostname those can resolve, and then you can move it to a different SMTP server/IP later.

I see both sides of the discussion. We used to use the Windows Server SMTP feature before it was removed in 2022, and relay that out to 365 or Google or whatever. Using an internal SMTP allows for queuing messages from pfSense when Internet is down. Having something internal would let pfSense queue those until it connects and can relay out. Access to port 25 could be controlled by firewall rule, though the default LAN:any rule would have it open. Perhaps a separate ACL-type setting.

Alternately there are plenty of ways to install a free SMTP server on Windows. At some point in life someone recommended hmailserver.com but I haven't really looked at it.

mvikman

@apetrenko

How old are those Dell servers? According to Dell's instructions, you can set port and authentication for SMTP, atleast on iDRAC7 and newer...

apetrenko

@mvikman authenticated, not encrypted. there is no SSL/TLS support.

rcoleman-netgate

@apetrenko highly recommend you either configure your own "satellite" SMTP server internally on your network or use a VPN to communicate to one that will work on SMTP port 25 w/o encryption.

mvikman

@apetrenko

iDRAC9 supports TLS after firmware upgrade, this is from Dell KB Article 000131098:

After iDRAC is upgraded to version 4.00.00.00, you may stop receiving encrypted email alerts from iDRAC, if the external email server does not support encryption. iDRAC firmware version 4.00.00.00 introduces a user-selectable encryption option and the default protocol is StartTLS. To start receiving email messages again, disable the email encryption by using the following RACADM command: "racadm set idrac.RemoteHosts.ConnectionEncryption None"

Gertjan

@apetrenko said in SMTP server on pfSense.:

@gertjan because you will be surprised when you will try to set it up for iDRAC on Dell Server -- it can send only to plain SMTP to port 25.

I know.
I've an old T350 PowerEdge with an iDRAC, and yes, it has very little capable mail send settings.
It presumes an open port 25 and a host name. That was how things were done in the past.

Maybe I can upgrade it .... never looked into that.

If I had to, I would ask my NAS to 'play' mail relay : probably way easier/faster to set up.

The fact that a simple pfSense upgrade or even patch can disable or break an installed postfix, or an upgrade of pfSense blows postfix out of the water, is a no go.

apetrenko

Guys, Don't tell me what I should change in my infrastructure, what I have to upgrade, and what I need to do. if you ever certify your infra by PCI/SoC/ISO you probably know, how hard and expensive to "add satellite server to send e-mail" or "upgrade your idrac to V1.23.456.789" in the middle of the complaint period.

I found a better and simple solution: https://github.com/wiggin77/mailrelay installed on pfSense.

Works well and is exactly what I need: receive an e-mail by plain SMTP inside the network and send it to AWS mail relay by STARTTLS to 587.