OPNsense Forum
Archive => 17.7 Legacy Series => Topic started by: dcol on November 14, 2017, 12:45:25 am
-
Trying to setup notifications for the first time and I have an issue with authentication.
Two email servers cannot verify the user/password. I run these email servers and know how to set them up. Using an account that has ports 2525 (Non-SSL), and 465 (SSL) for relaying mail. Neither port can authenticate the user.
I use this user with many other email clients with no issues. Even tried other users. I can see the connection flow which terminates when the sender cannot authenticate.
Is there somewhere in OPNsense that I can check the settings internally? Seems like we may have an encrypted login or something weird going on. My systems do not support encrypted logons. Besides, no need to encrypt a logon anyway when using SSL.
Here is an example of the flow using STARTTLS.
2017-11-13 16:19:56,276 - [ 548590] C --> EHLO firewall.opnsense
2017-11-13 16:19:56,277 - [ 548590] S <-- 250-wsip-10-0-0-1.tc.ph.cox.net. Please to meet you
2017-11-13 16:19:56,277 - [ 548590] S <-- 250-AUTH LOGIN
2017-11-13 16:19:56,277 - [ 548590] S <-- 250-AUTH=LOGIN
2017-11-13 16:19:56,277 - [ 548590] S <-- 250-STARTTLS
2017-11-13 16:19:56,277 - [ 548590] S <-- 250 OK
2017-11-13 16:19:56,313 - [ 548590] C --> STARTTLS
2017-11-13 16:19:56,313 - [ 548590] S <-- 220 Go ahead
2017-11-13 16:19:56,434 - [ 548590] C --> EHLO firewall.opnsense
2017-11-13 16:19:56,434 - [ 548590] S <-- 250-wsip-10-1-1-0.tc.ph.cox.net. Please to meet you
2017-11-13 16:19:56,434 - [ 548590] S <-- 250-AUTH LOGIN
2017-11-13 16:19:56,435 - [ 548590] S <-- 250-AUTH=LOGIN
2017-11-13 16:19:56,435 - [ 548590] S <-- 250 OK
2017-11-13 16:19:56,466 - [ 548590] C --> AUTH PLAIN Y29sMUByc21tYWlsLmNvbQBjb2wxQHJzbW1haWwuY29tAHRlc3RlcjEyMw==
2017-11-13 16:19:56,467 - [ 548590] S <-- 334 UGFzc3dvcmQ6
2017-11-13 16:19:56,485 - [ 548590] S <-- 535 5.7.3 Authentication unsuccessful.
2017-11-13 16:19:56,503 - [ 548590] C --> AUTH PLAIN Y29sMUByc21tYWlsLmNvbQB0ZXN0ZXIxMjMA
2017-11-13 16:19:56,503 - [ 548590] S <-- 334 UGFzc3dvcmQ6
As you can see the AUTH PLAIN is the issue. I cannot accept that type of authentication. How can I change that?
-
Are the recipients you want to notify all hosted on the mail server that you're connecting to?
If so, you don't need to authenticate at all - the server will accept mail for its authoritative domain(s) and even accept STARTTTLS without a login.
Bart...
-
No, the email servers are not on the OPNsense box. And whether I choose authentication or not I get the same results. The issue is both of my email servers do not support plain authentication, only normal. So I need to see if there is a way to change this in OPNsense, otherwise I will have to allow relay for the OPNsense WAN IP and I do not want to do that.
[UPDATE] Actually one of my email servers does support AUTH PLAIN and OPNsense still doesn't authenticate.
-
For now, until either the email server accepts AUTH PLAIN or I can get OPNsense to use normal password authentication, I just send the mail to a gmail account then forward the email to my email server. It at least works.
-
What software does your mail server run? Which host does your MX record point to?
Bart...
-
I use Smartermail on one system and Xeams on another. Neither can accept AUTH PLAIN logins. MX records are set depending on the domain.