Bug #8535
closedSMTP fails to work with STARTTLS and TLS
0%
Description
Problems:
1) I read on the pfSense forums that the new Pear-Mail should automatically use STARTTLS if the server offers it, but according to a Wireshark packet trace I made, my server offered it and my pfSense did not use it but sent the test email via plaintext.
2) My email server also supports using regular TLS, but when I check the box "Enable SMTP over SSL/TLS" in pfSense, the emails fail to send at all. Censored error = "Could not send the message to MYEMAIL@MYDOMAIN.com -- Error: Failed to connect to ssl://MYDOMAIN-com.mail.protection.outlook.com:25 [SMTP: Failed to connect socket: fsockopen(): unable to connect to ssl://MYDOMAIN-com.mail.protection.outlook.com:25 (Unknown error) (code: -1, response: )]"
Details:
I created a Relay Connector in my Office 365 account that authenticates all emails via my public IP, so no username or password is necessary to send an email through it. Microsoft's website (https://support.office.com/en-us/article/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-office-365-69f58e99-c550-4274-ad18-c805d654b4c4) explains that the relay should work on port 25 and TLS is "optional". I can successfully send emails through the relay using the built-in Powershell command (Send-MailMessage -From noreply@MYDOMAIN.com -Subject "test 1" -To MYEMAIL@MYDOMAIN.com -Body "test 111" -Port 25 -SmtpServer MYDOMAIN-com.mail.protection.outlook.com) with the "UseSSL" parameter and without. When UseSSL is included, the Wireshark trace looks encrypted, and without UseSSL included, the Wireshark trace seems to be encrypted after the first packet. But the notification test emails from pfSense can only send if the "Enable SMTP over SSL/TLS" box is unchecked so the emails are always sent in plaintext.
My guess is that the Mail feature of pfSense has some configuration or compatibility issue with Office 365's TLS and STARTTLS features of its Relay Connector. I have a similar problem with sending email from Duplicati through it. Duplicati fails to send using normal TLS, but it does succeed with STARTTLS=ALWAYS.
Sorry I'm not an expert with Wireshark but I hope this was helpful. If you want me to share the Wireshark traces, I'd prefer to email them privately to the pfSense team.
Updated by Jim Pingle about 5 years ago
- Status changed from New to Duplicate
Some of this appears to be a duplicate of #8313 and others may be a settings issue. If you still have problems, post on the forum for assistance.