Emails being blocked sending out
-
We have App server trying to connect to google apps SMTP relay but they aren't getting to them and our server admin looked and believes it's the FW not allowing to pass through. Logs show permission error on either suitecrm or owncloud which are the two applications needing to send out emails.
We have two interfaces (WAN, LAN) and I've attached screenshot of both rules
Any ideas or help would be greatly appreciated.
FYI, it all worked when we had hosted on AWS EC2 and just moved to local hosting.
 -
outbound connections are governed by rules on LAN, not WAN. That rule passes everything and so it's not the problem.
My first guess is your ISP is blocking outbound tcp/25 connections.
from a host on LAN:
telnet smtp.gmail.com 25
what happens?
telnet smtp.gmail.com 587
what happens?
-
Scotts-MacBook-Pro:~ ScottParks$ telnet smtp.gmail.com 465
Trying 74.125.20.108…
Connected to gmail-smtp-msa.l.google.com.
Escape character is '^]'.Scotts-MacBook-Pro:~ ScottParks$ telnet smtp.gmail.com 587
Trying 74.125.20.109...
Connected to gmail-smtp-msa.l.google.com.
Escape character is '^]'.
220 smtp.gmail.com ESMTP hh3sm8662756pbc.8 - gsmtpScotts-MacBook-Pro:~ ScottParks$ telnet smtp.gmail.com 25
Trying 74.125.20.108...
telnet: connect to address 74.125.20.108: Operation timed out
Trying 74.125.20.109...
telnet: connect to address 74.125.20.109: Operation timed out
Trying 2607:f8b0:400e:c01::6c...
telnet: connect to address 2607:f8b0:400e:c01::6c: No route to host
telnet: Unable to connect to remote host -
ISP's blocking it most likely. Interesting they pass 465.
Your best bet is probably tcp/587 + STARTTLS + authentication.
-
I've tried both 465 and 587 and use IP auth with google apps.
Google is saying they never get the request from our public IP.
Is there any proof I can provide to AT&T that they aren't allowing my traffic to pass? Otherwise they are just going to play dumb.
 -
You have proof? It's not going to be a secret to them that they block outbound tcp/25. You might just have to ask for it to be opened.
This is not a pfSense problem.
-
Had a similar issue before
My ISP appear to block port 25
I've used port 587 and it works
Make sure to nat the port to the app server -
Here's an update. I was able to configure MacBook Outlook to connect to google apps with 465 and was able to send test mail out.
So theoretically it should be the same and not a pfsense or ISP problem, right???
-
Dude -
How do the devices you're trying to send mail with send mail?
25 Starts Clear - STARTTLS sometimes supported - authentication might be required
465 Starts with SSL - authentication might be required
587 Starts Clear - STARTTLS sometimes supported - authentication required before email submission -
SuiteCRM and OwnCloud both worked with current settings using port 465 and google apps IP auth when it was being hosted on EC2 but since we moved it back locally it doesn't work. All settings are the same. Only thing I had to change was of course the auth IP that google apps had to allow from EC2 IP to my WAN IP.
-
Dude. I already gave you a link to provide some useful testing and debugging info on the other thread. Why don't you just do it?
-
Start here-
https://forum.pfsense.org/index.php?topic=70.0
-
Scotts-MacBook-Pro:~ ScottParks$ openssl s_client -connect smtp-relay.gmail.com:587 -starttls smtp
CONNECTED(00000003)
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
–-
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp-relay.gmail.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate AuthorityServer certificate
-----BEGIN CERTIFICATE-----
MIIEgjCCA2qgAwIBAgIIODBLubr9A2MwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTUwMjE4MTAyMDU3WhcNMTUxMjMxMDAwMDAw
WjBuMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEdMBsGA1UEAwwUc210
cC1yZWxheS5nbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDE+bjFuGH62y341P0icz1L2SKpRS0pt1PvVGtru1g3t35IDUarI36+/duBX6W5
CtJmkPOiHfH/mbT/EN/+zI1RD8hzR4sH6wDcLSp42DvodWRfpz9P/1HShpOO84BZ
IJBj+um6+lnBq4Rb/JukDE7mGc9T/UeagR+o9b64HqaOHkzO+CWcLnAlqyu6UXq9
5clpkd+7uyKkl+wifGzbQI6Hnt+Ssb2DhjTSDHH0f9Ae7RJKWKnQlizsrKI52WSj
bfLlvRxf7Zz8aKhX1wQ17ICkJa/aHTswWH4M7uliJhRi5UhNi4CYFh8pfkgp6bAV
usH4lHAj/Lpq0mQ6EnNbsoVzAgMBAAGjggFHMIIBQzAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwHwYDVR0RBBgwFoIUc210cC1yZWxheS5nbWFpbC5jb20w
aAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5j
b20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xl
LmNvbS9vY3NwMB0GA1UdDgQWBBRq4wUieE4jUdsQGeM8atDb98lSPDAMBgNVHRMB
Af8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQ
MA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdv
b2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQATjUExdKa1G4p4
MwOnPORkMZTj0N6tU6diUzKeAtHE8K51q5HCmz9d6JIIt2UoJ0E2KXReBX4sKmQQ
7R1RhcUhy6Bie25QvDAniWQhTbI7AbTCvqDl0I242wYQ5aIOTeWYcR6RvOsZigLo
qHHoTROhumKcMST8+zHNmI4IZbry7Oq4hlqNb6UYPAd32jV59lJPU0xvW/Vlzj9K
ttOFYq6jw1DUImeJp7Zfh2s7yMVSSe8XwDcEfbJZA9U10/8S2B8YYwB0cVetjo/Q
b6koiKE5gbfE58TLMKKW/YOJ/xqZiu1LMQV67RpI9VzF6UP/dVlEUh+Jw2N/p0nM
MvOK1pqd
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp-relay.gmail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2No client certificate CA names sent
SSL handshake has read 3492 bytes and written 479 bytes
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
Session-ID: 21900F806CB079425019879EF325A4CF74D08715C6298AF1EFAD447E5980F4AA
Session-ID-ctx:
Master-Key: 8AD0BBF7C086A831DB2D4FD80293AC72AAC90A855834C129C51046BF7DDAD9522B6BE2B9CB9C7804A826A0EFBFE84BAA
Key-Arg : None
Start Time: 1440296241
Timeout : 300 (sec)
Verify return code: 0 (ok)250 SMTPUTF8
-
Awesome. So, pfSense is completely out of business as far as this goes. It blocks nothing. Please, focus your debugging elsewhere and follow up in the proper forum. (That is, the one for software you are having trouble with. It's not pfSense.)
