pfSense » pfSense Packages

System/Advanced/Notifications/Test SMTP Settings

Dec 13 11:22:09 mail postfix/postscreen⁸⁶⁷⁰: CONNECT from [10.1.97.1]:10104 to [10.1.97.12]:25
Dec 13 11:22:12 mail postfix/postscreen⁸⁶⁷⁰: PASS OLD [10.1.97.1]:10104
Dec 13 11:22:12 mail postfix/smtpd⁸⁶⁷⁵: connect from _gateway[10.1.97.1]
Dec 13 11:22:12 mail postfix/smtpd⁸⁶⁷⁵: 7F1C6404F2: client=_gateway[10.1.97.1]
Dec 13 11:22:12 mail postfix/cleanup⁸⁶⁸⁰: 7F1C6404F2: message-id=<>
Dec 13 11:22:12 mail postfix/qmgr¹⁹⁸⁷: 7F1C6404F2: from=<root@pfsense.sashan.by>, size=381, nrcpt=1 (queue active)
Dec 13 11:22:12 mail postfix/smtpd⁸⁶⁷⁵: disconnect from _gateway[10.1.97.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5

Status/Email Reports/Edit Reports/Send Now

Dec 13 11:28:31 mail postfix/postscreen⁸⁹⁶⁶: CONNECT from [10.1.97.1]:48172 to [10.1.97.12]:25
Dec 13 11:28:31 mail postfix/postscreen⁸⁹⁶⁶: PASS OLD [10.1.97.1]:48172
Dec 13 11:28:31 mail postfix/smtpd⁸⁹⁶⁹: connect from _gateway[10.1.97.1]
Dec 13 11:28:31 mail postfix/smtpd⁸⁹⁶⁹: SSL_accept error from _gateway[10.1.97.1]: -1
Dec 13 11:28:31 mail postfix/smtpd⁸⁹⁶⁹: warning: TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1399:SSL alert number 48:
Dec 13 11:28:31 mail postfix/smtpd⁸⁹⁶⁹: lost connection after STARTTLS from _gateway[10.1.97.1]
Dec 13 11:28:31 mail postfix/smtpd⁸⁹⁶⁹: disconnect from _gateway[10.1.97.1] ehlo=1 starttls=0/1 commands=1/2

Why then passes the test SMTP? Message from PF (shutdown for example) delivered successfully too. How to solve the problem?

The error seems to indicate that it fails to verify peer certificate because unknown CA.

The successfull test is made by the pfsense mailler system (http://pear.php.net/package/Mail/) used in system_advanced_notifications.php
but the mailreport package use : class.phpmailer.php, this is a different system (but it use the same configurations variables/values).

Jim : Maybe it could be a solution to use only the pfsense mailler system, and remove class.phpmailer.php ?
It should be possible to use the send_smtp_message() from notices.inc, isn't it ?

If you think it can be done, i can take some times to do it.

Alex,

In the "System/Advanced/Notifications/Test SMTP Settings" log there is "ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5" => never STARTTLS
but in the "Status/Email Reports/Edit Reports/Send Now" log there is "ehlo=1 starttls=0/1 commands=1/2" => it seems trying to STARTTLS

So, can you confirm us :
- in your system_advanced_notifications.php you got "Secure SMTP Connection" option UNCHECKED ?
- your mail server (10.1.97.12) is able (and purpose it) to STARTTLS at connection ?
to confirm that, you can connect with telnet and you'll get something like :

Connected to [mydomain].
Escape character is '^]'.
220 [mydomain] ESMTP Postfix
ehlo [mydomain]
250-[mydomain]
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

The certificate verification can fail because : invalid, self-signed, CA not found, etc...
In this case, we can simply add something like at line 100 of /etc/inc/mail_reports.inc :

if ($config['notifications']['smtp']['sslvalidate'] == "disabled") {
    $mail->SMTPOptions =array(
      'ssl' => array(
         'verify_peer'       => false,
         'verify_peer_name'  => false,
         'allow_self_signed' => true,
      ),
    );
}

Then unchecking the "Validate SSL/TLS" in system_advanced_notifications.php can trig this condition and solve the problem.

Maybe Alex can test it for us ?

Thx

Ok.

[2.4.4-RELEASE][root@pfsense.mydomain]/root: telnet 10.1.97.12 25
Trying 10.1.97.12...
Connected to mail.mydomain.
Escape character is '^]'.
220 mail.mydomain ESMTP Postfix
ehlo pfsense.mydomain
250-mail.mydomain
250-PIPELINING
250-SIZE 15728640
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
^]
telnet> quit
Connection closed.

Unchecking "Validate SSL/TLS" does not dhange the result. Of course, i`m use self-signed certificate.

Dec 15 10:19:31 mail postfix/postscreen¹⁰⁵⁸⁶: CONNECT from [10.1.97.1]:5845 to [10.1.97.12]:25
Dec 15 10:19:31 mail postfix/postscreen¹⁰⁵⁸⁶: PASS OLD [10.1.97.1]:5845
Dec 15 10:19:32 mail postfix/smtpd¹⁰⁵⁸⁹: connect from _gateway[10.1.97.1]
Dec 15 10:19:32 mail postfix/smtpd¹⁰⁵⁸⁹: SSL_accept error from _gateway[10.1.97.1]: -1
Dec 15 10:19:32 mail postfix/smtpd¹⁰⁵⁸⁹: warning: TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1399:SSL alert number 48:
Dec 15 10:19:32 mail postfix/smtpd¹⁰⁵⁸⁹: lost connection after STARTTLS from _gateway[10.1.97.1]
Dec 15 10:19:32 mail postfix/smtpd¹⁰⁵⁸⁹: disconnect from _gateway[10.1.97.1] ehlo=1 starttls=0/1 commands=1/2

if ($config['notifications']['smtp']['sslvalidate'] == "disabled") {
$mail->SMTPOptions =array(
'ssl' => array(
'verify_peer' => false,
'verify_peer_name' => false,
'allow_self_signed' => true,
),
);
}

After thet, hen uncheckied the "Validate SSL/TLS" in system_advanced_notifications.php , the problem is dolved.

Thanks.

Hi Alex,

Thank you for your reply.

As we can see in the telnet output you give : your mail server purpose STARTTLS but you confirm that your certificate is self-signed.
I supposed that many users are in same situation.

Adding the SMTPOptions to mail_report.inc and uncheck the "Validate SSL/TLS" option in system_advanced_notifications.php SOLVE the problem for you
(if i understand your post correctly), correct ?

If so, i can patch it quickly.
I just need Jim reply to confirm that.

Thanks.

Hi, Joshua.

Yes, that solved the problem, thanks.

Thank You.

I added this commit to my current PR : https://github.com/pfsense/FreeBSD-ports/pull/602/commits/b03293c2a1912d3adec4199c8dae5c9e59cf3088

Regards.

the PR is now ok : https://github.com/pfsense/FreeBSD-ports/pull/603