Project

General

Profile

Actions

Bug #8535

closed

SMTP fails to work with STARTTLS and TLS

Added by Jeremy  99 over 6 years ago. Updated over 5 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
Notifications
Target version:
-
Start date:
05/23/2018
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.3_1
Affected Architecture:

Description

Problems:
1) I read on the pfSense forums that the new Pear-Mail should automatically use STARTTLS if the server offers it, but according to a Wireshark packet trace I made, my server offered it and my pfSense did not use it but sent the test email via plaintext.
2) My email server also supports using regular TLS, but when I check the box "Enable SMTP over SSL/TLS" in pfSense, the emails fail to send at all. Censored error = "Could not send the message to -- Error: Failed to connect to ssl://MYDOMAIN-com.mail.protection.outlook.com:25 [SMTP: Failed to connect socket: fsockopen(): unable to connect to ssl://MYDOMAIN-com.mail.protection.outlook.com:25 (Unknown error) (code: -1, response: )]"

Details:
I created a Relay Connector in my Office 365 account that authenticates all emails via my public IP, so no username or password is necessary to send an email through it. Microsoft's website (https://support.office.com/en-us/article/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-office-365-69f58e99-c550-4274-ad18-c805d654b4c4) explains that the relay should work on port 25 and TLS is "optional". I can successfully send emails through the relay using the built-in Powershell command (Send-MailMessage -From -Subject "test 1" -To -Body "test 111" -Port 25 -SmtpServer MYDOMAIN-com.mail.protection.outlook.com) with the "UseSSL" parameter and without. When UseSSL is included, the Wireshark trace looks encrypted, and without UseSSL included, the Wireshark trace seems to be encrypted after the first packet. But the notification test emails from pfSense can only send if the "Enable SMTP over SSL/TLS" box is unchecked so the emails are always sent in plaintext.

My guess is that the Mail feature of pfSense has some configuration or compatibility issue with Office 365's TLS and STARTTLS features of its Relay Connector. I have a similar problem with sending email from Duplicati through it. Duplicati fails to send using normal TLS, but it does succeed with STARTTLS=ALWAYS.

Sorry I'm not an expert with Wireshark but I hope this was helpful. If you want me to share the Wireshark traces, I'd prefer to email them privately to the pfSense team.

Actions

Also available in: Atom PDF