EMAIL Notification Issue

BBcan177 · Feb 1, 2014, 2:07 AM

I am having an issue with "System:NOTIFICATION / SMTP"

I have "DNS Forwarder" set to forward "mail.domain.com" to a 10.10.10.5, I have the Notification "Email server" set to "mail.domain.com" and the emails never go out.

If I change the "Email Server" in Notification to 10.10.10.5, the emails don't go out.

When i change "mail.domain.com" to the External IP address of the mail server, the email go thru, as this sends the email out thru the internet to get to my mail server.

Would prefer the mail to stay within my VPN tunnel if possible.

If I add a static route as indicated in this link -

https://doc.pfsense.org/index.php/Why_can't_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F

I have issues with Linux Machines not communicating properly thru the VPN Tunnel.

Is this issue similar to the SYSLOG issue?

"This option will allow the logging daemon to bind to a single IP address, rather than all IP addresses. If you pick a single IP, remote syslog severs must all be of that IP type.
If you wish to mix IPv4 and IPv6 remote syslog servers, you must bind to all interfaces.

Are there are workarounds?

Thanks

BBcan177 · Feb 4, 2014, 12:41 AM

Does anyone have a similar issue to the post below?

BBcan177 · Feb 10, 2014, 8:23 PM

Anyone….. Someone must be using Email Notification?

Thanks.

jimp · Feb 18, 2014, 1:40 PM

That's just how IPsec operates currently. The traffic follows the routing table, so unless you have a route telling it to go "out" the LAN, it will not be sourced from the LAN and will end up going out WAN.

If you want better control over the VPN routing, you'll need to use a routed VPN setup such as OpenVPN or IPsec in transport mode + GRE. OpenVPN is much easier if the other side supports it.

If your WAN has a static IP, you might be able to work around that by adding another IPsec Phase 2 to cover the path from your WAN IP to the 10.10.10.x network on both ends.

BBcan177 · Feb 19, 2014, 6:44 AM

@jimp:

That's just how IPsec operates currently. The traffic follows the routing table, so unless you have a route telling it to go "out" the LAN, it will not be sourced from the LAN and will end up going out WAN.

If you want better control over the VPN routing, you'll need to use a routed VPN setup such as OpenVPN or IPsec in transport mode + GRE. OpenVPN is much easier if the other side supports it.

If your WAN has a static IP, you might be able to work around that by adding another IPsec Phase 2 to cover the path from your WAN IP to the 10.10.10.x network on both ends.

Thanks Jim,

I tried to create a 2nd phase 2 on both pfSense Routers without success.

I set the 2nd PH2 to,

Tunnel IPv4 (Also tried to change the Type to WAN Subnet)
Type - Address
xxx.xxx.xxx.xxx / 32 (WAN address)
Nat/BINAt - None
Network - 10.10.1.0 /24 (Tried to set this as the remote router 10.10.1.1 /32
ESP

tried AES, than Blowfish separately. (all on Auto)

Tried with one or several Hashes

PFS 512,1024,2048, OFF

No Luck. Also tried to turn on "Prefer older IPsec SAs"

First PH is solid, First 2nd phase no issue either. ESP 2048, AES256, SHA512

I will try to debug with an ssh shell using racoon -F -d -v -f /var/etc/racoon.conf

Thanks.