Emails being blocked sending out

  • We have App server trying to connect to google apps SMTP relay but they aren't getting to them and our server admin looked and believes it's the FW not allowing to pass through. Logs show permission error on either suitecrm or owncloud which are the two applications needing to send out emails.

    We have two interfaces (WAN, LAN) and I've attached screenshot of both rules

    Any ideas or help would be greatly appreciated.

    FYI, it all worked when we had hosted on AWS EC2 and just moved to local hosting.
    ![Screen Shot 2015-08-21 at 11.45.26 AM.png](/public/imported_attachments/1/Screen Shot 2015-08-21 at 11.45.26 AM.png)
    ![Screen Shot 2015-08-21 at 11.45.26 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-08-21 at 11.45.26 AM.png_thumb)
    ![Screen Shot 2015-08-21 at 11.45.36 AM.png](/public/imported_attachments/1/Screen Shot 2015-08-21 at 11.45.36 AM.png)
    ![Screen Shot 2015-08-21 at 11.45.36 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-08-21 at 11.45.36 AM.png_thumb)

  • LAYER 8 Netgate

    outbound connections are governed by rules on LAN, not WAN.  That rule passes everything and so it's not the problem.

    My first guess is your ISP is blocking outbound tcp/25 connections.

    from a host on LAN:

    telnet 25

    what happens?

    telnet 587

    what happens?

  • Scotts-MacBook-Pro:~ ScottParks$ telnet 465
    Connected to
    Escape character is '^]'.

    Scotts-MacBook-Pro:~ ScottParks$ telnet 587
    Connected to
    Escape character is '^]'.
    220 ESMTP hh3sm8662756pbc.8 - gsmtp

    Scotts-MacBook-Pro:~ ScottParks$ telnet 25
    telnet: connect to address Operation timed out
    telnet: connect to address Operation timed out
    Trying 2607:f8b0:400e:c01::6c...
    telnet: connect to address 2607:f8b0:400e:c01::6c: No route to host
    telnet: Unable to connect to remote host

  • LAYER 8 Netgate

    ISP's blocking it most likely.  Interesting they pass 465.

    Your best bet is probably tcp/587 + STARTTLS + authentication.

  • I've tried both 465 and 587 and use IP auth with google apps.

    Google is saying they never get the request from our public IP.

    Is there any proof I can provide to AT&T that they aren't allowing my traffic to pass? Otherwise they are just going to play dumb.

    ![Screen Shot 2015-08-21 at 12.33.27 PM.png](/public/imported_attachments/1/Screen Shot 2015-08-21 at 12.33.27 PM.png)
    ![Screen Shot 2015-08-21 at 12.33.27 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-08-21 at 12.33.27 PM.png_thumb)

  • LAYER 8 Netgate

    You have proof?  It's not going to be a secret to them that they block outbound tcp/25.  You might just have to ask for it to be opened.

    This is not a pfSense problem.

  • Had a similar issue before
    My ISP appear to block port 25
    I've used port 587 and it works
    Make sure to nat the port to the app server

  • Here's an update. I was able to configure MacBook Outlook to connect to google apps with 465 and was able to send test mail out.

    So theoretically it should be the same and not a pfsense or ISP problem, right???

  • LAYER 8 Netgate

    Dude -

    How do the devices you're trying to send mail with send mail?

    25 Starts Clear - STARTTLS sometimes supported - authentication might be required
    465 Starts with SSL - authentication might be required
    587 Starts Clear - STARTTLS sometimes supported - authentication required before email submission

  • SuiteCRM and OwnCloud both worked with current settings using port 465 and google apps IP auth when it was being hosted on EC2 but since we moved it back locally it doesn't work. All settings are the same. Only thing I had to change was of course the auth IP that google apps had to allow from EC2 IP to my WAN IP.

  • Banned

    Dude. I already gave you a link to provide some useful testing and debugging info on the other thread. Why don't you just do it?

  • Scotts-MacBook-Pro:~ ScottParks$ openssl s_client -connect -starttls smtp
    depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    verify error:num=20:unable to get local issuer certificate
    verify return:0
    Certificate chain
    0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/
      i:/C=US/O=Google Inc/CN=Google Internet Authority G2
    1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
      i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
      i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

    Server certificate
    -----END CERTIFICATE-----
    subject=/C=US/ST=California/L=Mountain View/O=Google Inc/
    issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2

    No client certificate CA names sent

    SSL handshake has read 3492 bytes and written 479 bytes

    New, TLSv1/SSLv3, Cipher is RC4-SHA
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
        Protocol  : TLSv1
        Cipher    : RC4-SHA
        Session-ID: 21900F806CB079425019879EF325A4CF74D08715C6298AF1EFAD447E5980F4AA
        Master-Key: 8AD0BBF7C086A831DB2D4FD80293AC72AAC90A855834C129C51046BF7DDAD9522B6BE2B9CB9C7804A826A0EFBFE84BAA
        Key-Arg  : None
        Start Time: 1440296241
        Timeout  : 300 (sec)
        Verify return code: 0 (ok)

    250 SMTPUTF8

  • Banned

    Awesome. So, pfSense is completely out of business as far as this goes. It blocks nothing. Please, focus your debugging elsewhere and follow up in the proper forum. (That is, the one for software you are having trouble with. It's not pfSense.)

Log in to reply