Can't get notifications on 1 firewall to work with Office365
-
Microsoft has almost completely migrated their Office 365 hosted mail systems away from simple password authentication over to multifactor authentication.
I have my own domain and use the Exchange hosted email of Office 365, and I had to migrate all of my LAN notifications away from my Microsoft Office 365 email accounts over to my Apple iCloud email. Even specific app passwords are now hard to make work with Office 365.
I'm pretty sure that is what you are up against. You may have to find an alternate email provider that still allows password auth in order to get notifications to work.
Mine worked originally (and for quite a long time), but starting late last year Microsoft began the move away from simple password auth on a phased-in schedule.
-
That is one of the things I'd considered, but all of my boxes use the same account. If this were the issue then I would epect it would affect all of them, no?
-
@stewart said in Can't get notifications on 1 firewall to work with Office365:
That is one of the things I'd considered, but all of my boxes use the same account. If this were the issue then I would epect it would affect all of them, no?
It may migrate to all of them eventually. That's what happened to me. I lost the ability for direct connections from pfSense, and then Veeam Backup, then a couple of FreeBSD VMs that sent weekly status updates via Office 365.
I created a local postfix setup for my local VMs to send mail to, and then that postfix host has an app password for my iCloud email account. That iCloud account sends the emails to my Office 365 account.
I tried a number of solutions in an attempt to get my Office 365 direct-connection working, but never succeeded. That's why I gave up and started using the convoluted iCloud intermediary route. I fully expect Apple to, at some point, stop simple password auth as well.
-
@bmeeks Soon we will be enabling Security Defaults on the domain. I thought I would be crossing the bridge at that point. Is there not a way to get the notification working with security defaults? We have accounts at another provider we can use, I suppose. I'd prefer to keep it internal to the Exchange server if I can.
-
@stewart said in Can't get notifications on 1 firewall to work with Office365:
@bmeeks Soon we will be enabling Security Defaults on the domain. I thought I would be crossing the bridge at that point. Is there not a way to get the notification working with security defaults? We have accounts at another provider we can use, I suppose. I'd prefer to keep it internal to the Exchange server if I can.
It depends on your local network setup. If you have a static business IP address, then you can configure some special connectors on the Exchange Admin page that will allow inbound traffic from certain hosts (for example, your specific static WAN IP) using password auth. But that configuration is not "dynamic", so it can't adapt to WAN IPs that change. Here is the official Microsoft doc on setting this up: https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365. What you want to do with pfSense email notifications is the equivalent of what that Microsoft doc calls "multifunction devices" (they are specifically talking about printer/copier/scanner devices).
Since I am on residential service with no static IP, that process was not available. Nothing else I tried worked.
-
@stewart Does the client have a Windows Server in house? 2019 and earlier had an SMTP "feature" that can be set to only accept and only relay from certain IPs, then it can be set to deliver to 365 as a smart host. Unfortunately they removed it from Server 2022.
Using an internal relay also has the small bonus that if the Internet is down pfSense can't email you that the Internet is down...at least with a relay you get the notification eventually.
If they have a static IP then a connector is easiest (option 3 in Bill's URL) or the direct send (option 2) which you can set to a distribution list, and then put your email on the distribution list.
-
@bmeeks We have 60 units in production. They are about 75% static / 25% DCHP. That could work for some but not for others. Did you try using an app password?
-
@steveits We have these at just over 60 of our clients. Most we have moved off of internal servers to various cloud infrastructures so no Windows servers. This particular client is in that group. Roughly 1/4 of our units are DHCP so whatever solution we use will need to take that into account. Static connectors will work for some but not all. Thanks for the suggestions.
-
@stewart said in Can't get notifications on 1 firewall to work with Office365:
I have one that recently stopped working
The notification mails : this is where a classic gmail excels.
Of course, you can't create a gmail (Google) mail and then use that mail and its password in pfSense : you have to create a special "one-device-usage" password for that **. But it isn't hard.
The bonus is : you have, like an sms, a popup on your phone when pfSense sends a mail (quiet rare, actually)** So, if some one manges to get their hands on the pfSense config file, they can't access you gmail account.
Btw : 587 or submission is 'EOL'.
It's port 465 these days with TLS1.3. -
@stewart said in Can't get notifications on 1 firewall to work with Office365:
@bmeeks We have 60 units in production. They are about 75% static / 25% DCHP. That could work for some but not for others. Did you try using an app password?
It's been several months back, but I am pretty sure I tried the app password route and it would not work with the new Office 365 security settings. Microsoft's goal is to completely shut down simple password authentication for SMTP including app passwords.
You can postpone the inevitable for a short time by not turning on multifactor authentication, but eventually you will get forced over to MFA and lose simple password login.
