Port 587 not working for SMTP Notifications?



  • Has anyone port 587 working for SMTP Notifications?

    In System: Advanced: Notifications, I have configured SMTP E-Mail and get below error when using port 587:

    "php-fpm[59409]: /system_advanced_notifications.php: Could not send the message to myemail@gmail.comError: could not connect to the host "smtp.gmail.com": ??"

    I try to use port 587 together with SSL/TLS. Have tested different email providers, for example gmail.com and outlook.com. Same error with all of them. I can login using other clients like Outlook 2013 and iPhone. pfSense is version 2.2.3-RELEASE (i386).

    Important - It works with Gmail if using port 486! But my standard provider only supports port 587 so I need this working.



  • Have you entered your mail account credentials? Port 587 require authentication.

    With my provider it only works if I've checked "Enable STARTTLS".



  • It works, thanks!  :)

    Lesson learned:

    1. "Test SMTP" doesn't work all times if you not Save FIRST… [BUG?]

    2. I'm probably stupid but I don't understand the difference by enabling "SMTP over SSL/TLS" and "STARTTLS"! If one is used for port 486 and the other with port 587, shouldn't the GUI or something take care of choosing the correct one?  :o

    EDIT: Above I meant port 465, not 486.


  • Banned

    There's no port 486 for Gmail in the first place…



  • @doktornotor:

    There's no port 486 for Gmail in the first place…

    Maybe officially not, but it worked at least yesterday.



  • 486 is not a standard port for anything so I'm wondering how you even managed to discover that or where it came from?  You port-scanned Google mail servers and then tried any open ports you could find??



  • Sorry, should be "465", I wrote wrong number.



  • 465 is for SMTP over TLS, so SSL/TLS is mandatory.


  • Netgate

    465 is a port microsoft used for SMTP listening over SSL.  In that case, SSL happens before any communications take place, ie before the SMTP 220 banner is sent by the server, just like https.  It is a non-standard port but a defacto standard because the world marches to Microsoft's drum - more so in the past.

    STARTTLS is negotiated after the initial connection and an EHLO.

    telnet smtp.gmail.com 587

    Trying 74.125.20.109…
    Connected to gmail-smtp-msa.l.google.com.
    Escape character is '^]'.
    220 smtp.gmail.com ESMTP sjdhsdjskksjbder4jnf - gsmtp
    ehlo example.org
    250-smtp.gmail.com at your service, [X.Y.Z.A]
    250-SIZE 35882577
    250-8BITMIME
    250-STARTTLS
    250-ENHANCEDSTATUSCODES
    250-PIPELINING
    250-CHUNKING
    250 SMTPUTF8

    Note that there are no authentication options presented yet.  This is because gmail requires SSL/STARTTLS prior to authentication.  Your mail client would see the STARTTLS capability advertised by the server, start the STARTTLS process and would be presented with a new set up options similar to this:

    openssl s_client -connect smtp.gmail.com:587 -starttls smtp

    250 SMTPUTF8
    EHLO example.com
    250-smtp.gmail.com at your service, [X.Y.Z.A]
    250-SIZE 35882577
    250-8BITMIME
    250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN XOAUTH
    250-ENHANCEDSTATUSCODES
    250-PIPELINING
    250-CHUNKING
    250 SMTPUTF8

    Client would then authenticate and submit its message.  Messages must be rejected prior to authentication on smtp-submit 587.

    A connection to 465 doesn't require starttls, but if SSL/TLS isn't automatically negotiated, the connection will fail:

    openssl s_client -connect smtp.gmail.com:465

    220 smtp.gmail.com ESMTP ssdfssdfsdfsfsf6 - gsmtp
    ehlo example.com
    250-smtp.gmail.com at your service, [X.Y.Z.A]
    250-SIZE 35882577
    250-8BITMIME
    250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN XOAUTH
    250-ENHANCEDSTATUSCODES
    250-PIPELINING
    250-CHUNKING
    250 SMTPUTF8

    POP3 and IMAP listen SSL  on 995 and 993 respectively and might also support STARTTLS on the normal (plaintext) 110 and 143 ports.