Hello everyone,
I haven't been an OPNSense user for that long, but now my OPNSense is actually running quite well.
And I don't really miss Sophos UTM anymore ;)
But what I still don't understand to this day is why there is no function to receive an email when a new version is available?
Any other manufacturer can do this, that shouldn't be a problem or am I wrong?
Yes, I know, i could activate email notification in the "Announcements"...
All well and good, but why take this detour?
My additional problem is that the notifications about new threads in the announcements do not work or no longer work.
So far I have only received one email, namely in April 2024, when a new business version was released.
Not a single one since then (no, not SPAM either... I excluded OPNsense emails)
I've already deactivated and reactivated Notify, but that didn't help.
There was no email notification about 24.1.7 & 24.1.7_4.
Does anyone have a tip why this doesn't work?
At least I've received only one email notification so far...
For that reason alone, I would like something like this to be checked directly from the firewall without a forum and, if necessary, the admin to be notified by email!
So I have to go into the web interface regularly and check for updates, only to then find out, as that 24.7.1_4 is there and once again I didn't get any information :(
Do you have any ideas why the forum notifications aren't working properly?
I'm currently using GMX as a provider, if this should be important.
Kindly Regards
xenon
Better solution imho
- have an eye on this https://forum.opnsense.org/index.php?board=11.0
- read release notes, have an eye on the forum for some time, depending on your robustness start installing some hours to some days after new release becomes available. ;-)
Hi,
We've deprecated mailing lists a long time ago. It wasn't my favourite decision to carry forward but it has been good and I'm not missing it.
The technical machinery between a user wanting an update mail in a free product but having to register somewhere dumping personal information like an email address is challenging in terms of data protection and maintenance costs. We would like to simply avoid it.
The API has means to check for new versions and so has Monit. The setup isn't ideal because the technical part is offloaded to you, but at least you are in charge of your data and frequency and format. :)
Cheers,
Franco
Good Morning,
OK thanks.
But does anyone have an idea why the notifications from the forum about new Topics via e-mail are not arriving at my GMX address?
You need an Email provider that allows you to access SMTP directly in order to send out mails (or use vendor product "x" with accompanying horrible API "y").
GMX in particular doesn't offer that access unless you pay for it so a Google Mail is a good alternative to that (and yes you can send it to GMX then, too).
Most companies may already have a sane mail provider to use though.
Cheers,
Franco
Quote from: franco on May 28, 2024, 02:46:54 PM
You need an Email provider that allows you to access SMTP directly in order to send out mails (or use vendor product "x" with accompanying horrible API "y").
GMX in particular doesn't offer that access unless you pay for it so a Google Mail is a good alternative to that (and yes you can send it to GMX then, too).
Most companies may already have a sane mail provider to use though.
Cheers,
Franco
Hello Franco,
I actually meant the forum notifications to my GMX address, which doesn't work.
I have set up a notification for new topics under "announcements", but no email is received by GMX. Not even in the spam folder
Kindly Regards
xenon
I think this is a GMX specific issue now, because we run on Office 365 since a few weeks. Our end says these have been delivered to the recipient.
Cheers,
Franco
I am subscribed to the announcements subforum. I got an email for 24.1.10, but never got any emails for anything in the 24.7 series. I am using Fastmail as my provider which has no issues with anyone that I know of -- this would be the very first. There is no evidence of it hitting my spam folder. If anyone at OPNsense is aware of deliverability issues to Fastmail I'd like to report it. If you're using O365 it should not be an issue.
I think it would be cool to have a better mechanism to notify users of updates, especially critical security updates, than to depend on the forum software. Maybe just a plain old mailing list? Or the system itself could email or notify the admin when it sees updates? I really want to know when hotfixes are released so I can apply them.
I did actually get the email for 24.7.1 just now. But the posts in the same thread for the other 24.7 releases never delivered one. Maybe something was changed?
Most likely lost on some MTA due to some good intentions spam rule.
Cheers,
Franco
I think that's good evidence for email via the forum to not be the best way to deliver update notifications to admins. Is there a better method besides refreshing the dashboard all the time? Maybe a plugin that is more aggressive? Do critical security hotfixes get auto-applied?
Maybe since we already have monit, it can be an event in monit? I'm just spitballing here -- I'm honestly surprised the best we have is "subscribe to the forum but it may not arrive". I want security updates as quickly as possible.
Regarding the email itself, this would be the first and only time I had an expected email not delivered at all since I migrated to Fastmail. So maybe there is something fixable here that would benefit many others.
Email was delivered for 24.7.3, but not for 24.7.4. I wish there were a better mechanism than depending on forum software delivering email. I don't feel comfortable getting hotfix notifications this way. Surely there is a better method -- I would think security hotfixes and notifications would be very high priority
Well each OPNsense uses this API for the Announcement Widget:
/api/core/dashboard/product_info_feed
It uses this link:
https://github.com/opnsense/core/blob/bd037cc6555b5953241760553cb72e6d6147d3da/src/opnsense/mvc/app/controllers/OPNsense/Core/Api/DashboardController.php#L219
https://forum.opnsense.org/index.php?board=11.0&action=.xml;limit=5;type=rss2
Any tool that turns RSS into an Email for you could be used here. Even Outlook can subscribe to them.
It is not what you are looking for but it may help:
https://github.com/Red-Swingline/OPNsenseManager
Quote from: Monviech on September 23, 2024, 01:17:06 PM
Well each OPNsense uses this API for the Announcement Widget:
/api/core/dashboard/product_info_feed
It uses this link:
https://github.com/opnsense/core/blob/bd037cc6555b5953241760553cb72e6d6147d3da/src/opnsense/mvc/app/controllers/OPNsense/Core/Api/DashboardController.php#L219
https://forum.opnsense.org/index.php?board=11.0&action=.xml;limit=5;type=rss2
Any tool that turns RSS into an Email for you could be used here. Even Outlook can subscribe to them.
Thanks -- that is useful to get something going for myself.
But the long term situation is scary. When (not if) OPNSense has a 0day, there is no way to even alert people running it. A notification engine should be a core feature of OPNsense. Monit is the closest thing we have to that right now. But in the absence of that there should at the very least be an official mailing list. That's how so many other projects work. To rely on the forum software for this is demonstrably not workable -- it doesn't even send emails properly half the time.
I really think security updates should be taken much more seriously. OPNsense needs a way to mass notify about security updates. This can be opt-in but it needs to be put clearly in front of admins when they install or first-run.
For what it's worth, 24.7.6 also did not deliver email via the forum. I'd love to see the mailing list brought back.
Also FWIW, I *did* get an email from the forum notifying me of the 24.7.6 release post. I suspect it's getting caught in SPAM filters sometimes, maybe. I do notice this:
Received-SPF: fail (google.com: domain of no-reply@opnsense.org does not designate 209.85.220.69 as permitted sender) client-ip=209.85.220.69;
although it does pass DKIM and DMARC. SPAM filters can be fickle, though....
> I really think security updates should be taken much more seriously. OPNsense needs a way to mass notify about security updates.
Is that a straw man suggesting we don't take security updates seriously? :)
It's pretty easy to mass-notify all the GDPR compliant contacts we were provided which is... zero. The times of unsolicited mass-notifications are effectively over. It also allows the users to build their favourite channel from the available primary sources.
Cheers,
Franco
I mean, that's not what a straw man is? It is an implication though, and I think a fair one. It's a large project that people are trusting at their edge. It is good practice to have a mechanism to notify people of important security updates. I don't think this is controversial. And here we are met with "just subscribe to the announcement forum" which simply does not work predictably. I have provided multiple examples of email notifications failing to work on the forum -- and I have offered to help track them down. Yes, I and many others are capable of building my own tools to check for updates but the right thing to do is for the project to offer this, or at least have an official mailing list that works reliably. As I already posted before what are you going to do when there's a 0day? Hope people notice it on reddit? Hope they refresh their dashboard every day? You need a way to reach out in an official capacity besides posting on the forums. I'm not sure how GDPR is relevant here, it can still be opt-in.
Anyway regarding the announcement forum and email, I think the issue with forum subscription is that there is a backoff on topic notifications. If you do not actually click through and re-open the forum it will not send new email notifications for new topics past the one it already sent. So it may actually be that instead of spam filters. It would be better if the announcement forum didn't have this behavior probably.
> It is an implication though, and I think a fair one.
Fair enough and I do disagree. Ive seen too many people claiming that this or that is suboptimal but in the average case users just fail to read or find what information is readily available.
Cheers,
Franco
Do we have RSS feeds ?
Read the whole thread I responded that on page 1.
https://forum.opnsense.org/index.php?topic=40727.msg213549#msg213549
Quote from: Monviech on October 28, 2024, 11:30:03 AM
Read the whole thread I responded that on page 1.
https://forum.opnsense.org/index.php?topic=40727.msg213549#msg213549
Alright then, sorry for asking.
Sorry I didnt want to sound mean. :)
No worries.
As I just answered in this forum in german... No fun to translate the comments. But hope its clear to understand :)
cat /usr/local/bin/check_opnsense_update.sh
#!/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# Aktuelle installierte Version abrufen und nur die Versionsnummer extrahieren
CURRENT_VERSION=$(opnsense-version | awk '{print $2}')
# Verfügbare Version aus dem Repository abrufen
AVAILABLE_VERSION=$(pkg rquery '%v' opnsense)
if [ "$CURRENT_VERSION" = "$AVAILABLE_VERSION" ]; then
# Keine neue Version verfügbar
echo "NO_UPDATE: Current version: $CURRENT_VERSION"
exit 0
else
# Update verfügbar
echo "UPDATE_AVAILABLE: Current version: OPNsense $CURRENT_VERSION, Available version: OPNsense $AVAILABLE_VERSION"
exit 1
fi
Service Test Settings:
Name: check_opnsense_update
Condition: status != 0
Action: Alert
Service Settings:
Name: OPNsense_Update_Check
Type: custom
Path: /usr/local/bin/check_opnsense_update.sh
Tests: check_opnsense_update
Poll Time: 0 0 * * *
Note: for daily checks at 0:00
Alert Settings:
Recipient: e@mail.com
Events: status failed
Mail Format:
from: [FW@lalelu.com]
reply-to: [e@mail.com]
subject: Monit Alert -- $EVENT
message: $EVENT Service $SERVICE
Date: $DATE
Action: $ACTION
Host: $HOST
Description: $DESCRIPTION
Cheers,
Monit
Reminder: 3600
Cheers
EDIT: I could not test the opnsense-update -c, as I have already the latest update installed. But I assume it will work. Let me know :)
Hello Franco
I as well was missing a few notification emails towards the end of 2024 on two different email addresses, one selfhosted and another one at Google Workspaces.
I did login with both accounts and checked settings, clicked around in the Forum and then I again got the notification for "OPNsense 25.1-RC1 released" (on 22.01.2025) and "OPNsense 25.1-RC2 released" (today, on 24.01.2025, but only to one of the addresses).
I did see this line in the email from 22.01.2025 and now also today:
"More topics may be posted, but you won't receive more email notifications for this board until you return to the board and read some of them."
I did already login on the 22.01.2025 with both accounts an clicked on a few posting and still only one of them got the email of today.
In case of the announcement I really don't see any reason to also visit the forum, as all the relevant information already is in the email. Unfortunately additional (important) comments to existing announcement postings do not send any notifications at all.
I suspect that the Forum software is disabling the sending out of notifications if a user has not logged in for a certain time, or even worse did not read any postings at all.
It either would be helpful to mention that if no login did happen for that certain time, that notifications will be stopped. In that case I would make myself a reminder to login in regularly to avoid this. I already have such things for other services where they mention to even delete the account when no login happen for e.g. 1 year. In one case it is a postal service which does send email notification of arriving packages, which is all I need and I do not have to login there for anything else.
Or maybe there is a knob somewhere in the Forum software to disable this check and keep sending email as long as they don't bounce with a hard error.
Best regards,
Fabian
Quote from: Fabian Wenk on January 24, 2025, 01:25:11 PM"OPNsense 25.1-RC2 released" (today, on 24.01.2025, but only to one of the addresses).
In the meantime with 1.5 hours delay the email also arrived in the second mail account.