Emails being blocked sending out



  • We have App server trying to connect to google apps SMTP relay but they aren't getting to them and our server admin looked and believes it's the FW not allowing to pass through. Logs show permission error on either suitecrm or owncloud which are the two applications needing to send out emails.

    We have two interfaces (WAN, LAN) and I've attached screenshot of both rules

    Any ideas or help would be greatly appreciated.

    FYI, it all worked when we had hosted on AWS EC2 and just moved to local hosting.
    ![Screen Shot 2015-08-21 at 11.45.26 AM.png](/public/imported_attachments/1/Screen Shot 2015-08-21 at 11.45.26 AM.png)
    ![Screen Shot 2015-08-21 at 11.45.26 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-08-21 at 11.45.26 AM.png_thumb)
    ![Screen Shot 2015-08-21 at 11.45.36 AM.png](/public/imported_attachments/1/Screen Shot 2015-08-21 at 11.45.36 AM.png)
    ![Screen Shot 2015-08-21 at 11.45.36 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-08-21 at 11.45.36 AM.png_thumb)


  • LAYER 8 Netgate

    outbound connections are governed by rules on LAN, not WAN.  That rule passes everything and so it's not the problem.

    My first guess is your ISP is blocking outbound tcp/25 connections.

    from a host on LAN:

    telnet smtp.gmail.com 25

    what happens?

    telnet smtp.gmail.com 587

    what happens?



  • Scotts-MacBook-Pro:~ ScottParks$ telnet smtp.gmail.com 465
    Trying 74.125.20.108…
    Connected to gmail-smtp-msa.l.google.com.
    Escape character is '^]'.

    Scotts-MacBook-Pro:~ ScottParks$ telnet smtp.gmail.com 587
    Trying 74.125.20.109...
    Connected to gmail-smtp-msa.l.google.com.
    Escape character is '^]'.
    220 smtp.gmail.com ESMTP hh3sm8662756pbc.8 - gsmtp

    Scotts-MacBook-Pro:~ ScottParks$ telnet smtp.gmail.com 25
    Trying 74.125.20.108...
    telnet: connect to address 74.125.20.108: Operation timed out
    Trying 74.125.20.109...
    telnet: connect to address 74.125.20.109: Operation timed out
    Trying 2607:f8b0:400e:c01::6c...
    telnet: connect to address 2607:f8b0:400e:c01::6c: No route to host
    telnet: Unable to connect to remote host


  • LAYER 8 Netgate

    ISP's blocking it most likely.  Interesting they pass 465.

    Your best bet is probably tcp/587 + STARTTLS + authentication.



  • I've tried both 465 and 587 and use IP auth with google apps.

    Google is saying they never get the request from our public IP.

    Is there any proof I can provide to AT&T that they aren't allowing my traffic to pass? Otherwise they are just going to play dumb.

    ![Screen Shot 2015-08-21 at 12.33.27 PM.png](/public/imported_attachments/1/Screen Shot 2015-08-21 at 12.33.27 PM.png)
    ![Screen Shot 2015-08-21 at 12.33.27 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-08-21 at 12.33.27 PM.png_thumb)


  • LAYER 8 Netgate

    You have proof?  It's not going to be a secret to them that they block outbound tcp/25.  You might just have to ask for it to be opened.

    This is not a pfSense problem.



  • Had a similar issue before
    My ISP appear to block port 25
    I've used port 587 and it works
    Make sure to nat the port to the app server



  • Here's an update. I was able to configure MacBook Outlook to connect to google apps with 465 and was able to send test mail out.

    So theoretically it should be the same and not a pfsense or ISP problem, right???


  • LAYER 8 Netgate

    Dude -

    How do the devices you're trying to send mail with send mail?

    25 Starts Clear - STARTTLS sometimes supported - authentication might be required
    465 Starts with SSL - authentication might be required
    587 Starts Clear - STARTTLS sometimes supported - authentication required before email submission



  • SuiteCRM and OwnCloud both worked with current settings using port 465 and google apps IP auth when it was being hosted on EC2 but since we moved it back locally it doesn't work. All settings are the same. Only thing I had to change was of course the auth IP that google apps had to allow from EC2 IP to my WAN IP.


  • Banned

    Dude. I already gave you a link to provide some useful testing and debugging info on the other thread. Why don't you just do it?





  • Scotts-MacBook-Pro:~ ScottParks$ openssl s_client -connect smtp-relay.gmail.com:587 -starttls smtp
    CONNECTED(00000003)
    depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    verify error:num=20:unable to get local issuer certificate
    verify return:0
    –-
    Certificate chain
    0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp-relay.gmail.com
      i:/C=US/O=Google Inc/CN=Google Internet Authority G2
    1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
      i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
      i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIEgjCCA2qgAwIBAgIIODBLubr9A2MwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
    BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
    cm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwMjE4MTAyMDU3WhcNMTUxMjMxMDAwMDAw
    WjBuMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
    TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEdMBsGA1UEAwwUc210
    cC1yZWxheS5nbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
    AQDE+bjFuGH62y341P0icz1L2SKpRS0pt1PvVGtru1g3t35IDUarI36+/duBX6W5
    CtJmkPOiHfH/mbT/EN/+zI1RD8hzR4sH6wDcLSp42DvodWRfpz9P/1HShpOO84BZ
    IJBj+um6+lnBq4Rb/JukDE7mGc9T/UeagR+o9b64HqaOHkzO+CWcLnAlqyu6UXq9
    5clpkd+7uyKkl+wifGzbQI6Hnt+Ssb2DhjTSDHH0f9Ae7RJKWKnQlizsrKI52WSj
    bfLlvRxf7Zz8aKhX1wQ17ICkJa/aHTswWH4M7uliJhRi5UhNi4CYFh8pfkgp6bAV
    usH4lHAj/Lpq0mQ6EnNbsoVzAgMBAAGjggFHMIIBQzAdBgNVHSUEFjAUBggrBgEF
    BQcDAQYIKwYBBQUHAwIwHwYDVR0RBBgwFoIUc210cC1yZWxheS5nbWFpbC5jb20w
    aAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5j
    b20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xl
    LmNvbS9vY3NwMB0GA1UdDgQWBBRq4wUieE4jUdsQGeM8atDb98lSPDAMBgNVHRMB
    Af8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQ
    MA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdv
    b2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQATjUExdKa1G4p4
    MwOnPORkMZTj0N6tU6diUzKeAtHE8K51q5HCmz9d6JIIt2UoJ0E2KXReBX4sKmQQ
    7R1RhcUhy6Bie25QvDAniWQhTbI7AbTCvqDl0I242wYQ5aIOTeWYcR6RvOsZigLo
    qHHoTROhumKcMST8+zHNmI4IZbry7Oq4hlqNb6UYPAd32jV59lJPU0xvW/Vlzj9K
    ttOFYq6jw1DUImeJp7Zfh2s7yMVSSe8XwDcEfbJZA9U10/8S2B8YYwB0cVetjo/Q
    b6koiKE5gbfE58TLMKKW/YOJ/xqZiu1LMQV67RpI9VzF6UP/dVlEUh+Jw2N/p0nM
    MvOK1pqd
    -----END CERTIFICATE-----
    subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp-relay.gmail.com
    issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2

    No client certificate CA names sent

    SSL handshake has read 3492 bytes and written 479 bytes

    New, TLSv1/SSLv3, Cipher is RC4-SHA
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1
        Cipher    : RC4-SHA
        Session-ID: 21900F806CB079425019879EF325A4CF74D08715C6298AF1EFAD447E5980F4AA
        Session-ID-ctx:
        Master-Key: 8AD0BBF7C086A831DB2D4FD80293AC72AAC90A855834C129C51046BF7DDAD9522B6BE2B9CB9C7804A826A0EFBFE84BAA
        Key-Arg  : None
        Start Time: 1440296241
        Timeout  : 300 (sec)
        Verify return code: 0 (ok)

    250 SMTPUTF8


  • Banned

    Awesome. So, pfSense is completely out of business as far as this goes. It blocks nothing. Please, focus your debugging elsewhere and follow up in the proper forum. (That is, the one for software you are having trouble with. It's not pfSense.)


Log in to reply