Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Support for API based email delivery

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 490 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      Wolfgangthegreat
      last edited by

      Hello,

      Does anyone knows if it is planned to have a notification option to send email using web API based services like Amazon AWS SES or Sendgrid (has a free plan of 100 emails sent per day)?

      It will help us send emails indirectly, hence not needing to expose the Firewall's public IP in a public SPF record and its IP will not be part of the SMTP headers of the email delivery - hence we will be able to keep the FW hidden from the world (when needed) and avoid attacks like Denial of Service, port scans and so on.

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        There are no plans to add that as far as I know. You should create a feature request:
        https://redmine.pfsense.org/

        Steve

        W 1 Reply Last reply Reply Quote 1
        • W
          Wolfgangthegreat @stephenw10
          last edited by Wolfgangthegreat

          @stephenw10
          Thanks, added now a feature request at https://redmine.pfsense.org/issues/14903

          W 1 Reply Last reply Reply Quote 1
          • W
            Wolfgangthegreat @Wolfgangthegreat
            last edited by

            @stephenw10

            OK, I found a way to send emails from pfSense via SendGrid, using the current pfSense configuration (version 2.7.0)

            (SendGrid, as noted above, has a free plan that enables you to send 100 email per day, via its service, for free, which should be, I think, more than enough to get email notifications from your pfSense device).

            The delivery is done via SendGrid's SMTP server, but the security advantaged of services like SendGrid is kept – as the actual delivery does not include the IP address of the sending pfSense device (like when sending via web API); but it DOES INCLUDE the name of the pfSense device, like pfsense.home.arpa, so notice to change the device's name if you wish to avoid identification by the recipients of the notification emails.
            You can change the device name at System > General Setup.

            First, some preparations at SendGrid:

            1. Create a SendGrid user account at https://signup.SendGrid.com/; or login if you already have an account there - https://app.SendGrid.com/login/
            2. Create an API key, how to - https://docs.SendGrid.com/ui/account-and-settings/api-keys
              2.1. It is better, for both security reasons and for operational reasons – to have a unique API key for pfSense, even for each pfSense device
              2.2. Grant the API key the minimal permissions needed to send email – Settings > API Keys. For "API Key Permissions" select "Restricted Access". For "Access Details" open the "Mail Send" section and only enable "Mail Send". Save the change.
              2.3. Save the API key value at your records offline, you will need to use it as the SendGrid account "password" at pfSense. Once the API key is generated and saved, you will not be able to see the key's value!
            3. If you enabled " IP Access Management" (limit delivery only from allowed IP address(es)), then Go to Settings > IP Access Management. Add the IP address of the pfSense device, the IP that is facing the Internet and will be the one to communicate with the SendGrid email server

            Generally follow the instructions on the following post by SendGrid, "Integrating with the SMTP API" (although I think it is better to use port 465, as it uses a more secure method than the one of port 587)
            https://docs.SendGrid.com/for-developers/sending-email/integrating-with-the-smtp-api

            DO NOT do what is written in the following post, titled "How to Send an SMTP Email", it is for sending via SendGrid emails using Telnet to SendGrid's SMTP server, which needs the input to be formatted as Base64.
            Base64 format will NOT be accepted by SendGrid when sending emails via pfSense, and you will get an error message like
            "
            Could not send the message to <email address> -- Error: PLAIN authentication failure [SMTP: Invalid response code received from server (code: 535, response: Authentication failed: Bad username / password)]
            "
            https://docs.SendGrid.com/for-developers/sending-email/getting-started-smtp

            At pfSense:

            1. Go to System > Advanced > Notifications
            2. Of course Uncheck "Disable SMTP"
            3. Add to "E-Mail server" the value of smtp.SendGrid.net
            4. For "SMTP Port of E-Mail server" I used 465 (SMTP with TLS, most secure)
            5. (Connection timeout to E-Mail server – whatever you wish)
            6. Secure SMTP Connection – Enable-Checked
            7. Validate SSL/TLS – Enabled-Checked
            8. (From e-mail address – whatever you wish)
            9. (Notification E-Mail address – whatever you wish)
            10. Notification E-Mail auth username (optional) – this is NOT optional; you have to insert here exactly the system word of "apikey" (without the quotations). This tells SendGrid that you are not authenticating as a specific regular user, but as an API key
            11. Notification E-Mail auth password – insert here the exact relevant API key value that you recorded when your created it. It is acting as your "password"
            12. Notification E-Mail auth mechanism – Select the fixed value of "PLAIN"
            13. Scroll down to the bottom of the page and click "Save"
            14. Once the page reloaded – Click the "Test SMTP Settings" button to see if you receive a test email to the target email address

            If you get a warning about network issues, like "Error: Failed to connect to ssl://smtp.SendGrid.net:465 [SMTP: Failed to connect socket: Operation timed out (code: -1, response: )]":

            1. Test the general ability to reach the target server at the target port, using pfSense's port test at Diagnostics > Test Port
            2. If the above port test also fails (but generally you have network admin access to pfSense from the Internet, or even pfSense can perform a check to see if it has a new version (at Status > Dashboard > System Information widget > Versions section > click the arrows circle icon)), I suggest approaching the support of the ISP/Cloud host firm. Many of these firms block by default access to SMTP ports on the Internet, to prevent spam delivery from their systems by their customers

            Notice that you do not need to create any Firewall rule for the notification emails to communicate with the target SMTP server, it will be allowed internally by pfSense, based you the notifications configuration you enabled and adjusted.

            Good luck!

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.