OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: dcol on November 14, 2017, 12:45:25 am

Title: Trouble with SMTP notifications
Post by: dcol on November 14, 2017, 12:45:25 am

Trying to setup notifications for the first time and I have an issue with authentication.
Two email servers cannot verify the user/password. I run these email servers and know how to set them up. Using an account that has ports 2525 (Non-SSL), and 465 (SSL) for relaying mail. Neither port can authenticate the user.
I use this user with many other email clients with no issues. Even tried other users. I can see the connection flow which terminates when the sender cannot authenticate.

Is there somewhere in OPNsense that I can check the settings internally? Seems like we may have an encrypted login or something weird going on. My systems do not support encrypted logons. Besides, no need to encrypt a logon anyway when using SSL.

Here is an example of the flow using STARTTLS.
2017-11-13 16:19:56,276 - [    548590] C --> EHLO firewall.opnsense
2017-11-13 16:19:56,277 - [    548590] S <-- 250-wsip-10-0-0-1.tc.ph.cox.net. Please to meet you
2017-11-13 16:19:56,277 - [    548590] S <-- 250-AUTH LOGIN
2017-11-13 16:19:56,277 - [    548590] S <-- 250-AUTH=LOGIN
2017-11-13 16:19:56,277 - [    548590] S <-- 250-STARTTLS
2017-11-13 16:19:56,277 - [    548590] S <-- 250 OK
2017-11-13 16:19:56,313 - [    548590] C --> STARTTLS
2017-11-13 16:19:56,313 - [    548590] S <-- 220 Go ahead
2017-11-13 16:19:56,434 - [    548590] C --> EHLO firewall.opnsense
2017-11-13 16:19:56,434 - [    548590] S <-- 250-wsip-10-1-1-0.tc.ph.cox.net. Please to meet you
2017-11-13 16:19:56,434 - [    548590] S <-- 250-AUTH LOGIN
2017-11-13 16:19:56,435 - [    548590] S <-- 250-AUTH=LOGIN
2017-11-13 16:19:56,435 - [    548590] S <-- 250 OK
2017-11-13 16:19:56,466 - [    548590] C --> AUTH PLAIN Y29sMUByc21tYWlsLmNvbQBjb2wxQHJzbW1haWwuY29tAHRlc3RlcjEyMw==
2017-11-13 16:19:56,467 - [    548590] S <-- 334 UGFzc3dvcmQ6
2017-11-13 16:19:56,485 - [    548590] S <-- 535 5.7.3 Authentication unsuccessful.
2017-11-13 16:19:56,503 - [    548590] C --> AUTH PLAIN Y29sMUByc21tYWlsLmNvbQB0ZXN0ZXIxMjMA
2017-11-13 16:19:56,503 - [    548590] S <-- 334 UGFzc3dvcmQ6

As you can see the AUTH PLAIN is the issue. I cannot accept that type of authentication. How can I change that?

Title: Re: Trouble with SMTP notifications
Post by: bartjsmit on November 14, 2017, 08:14:13 am

Are the recipients you want to notify all hosted on the mail server that you're connecting to?

If so, you don't need to authenticate at all - the server will accept mail for its authoritative domain(s) and even accept STARTTTLS without a login.

Bart...

Title: Re: Trouble with SMTP notifications
Post by: dcol on November 14, 2017, 03:57:55 pm

No, the email servers are not on the OPNsense box. And whether I choose authentication or not I get the same results. The issue is both of my email servers do not support plain authentication, only normal. So I need to see if there is a way to change this in OPNsense, otherwise I will have to allow relay for the OPNsense WAN IP and I do not want to do that.

[UPDATE] Actually one of my email servers does support AUTH PLAIN and OPNsense still doesn't authenticate.

Title: Re: Trouble with SMTP notifications
Post by: dcol on November 14, 2017, 06:12:47 pm

For now, until either the email server accepts AUTH PLAIN or I can get OPNsense to use normal password authentication, I just send the mail to a gmail account then forward the email to my email server. It at least works.

Title: Re: Trouble with SMTP notifications
Post by: bartjsmit on November 14, 2017, 06:20:35 pm

What software does your mail server run? Which host does your MX record point to?

Bart...

Title: Re: Trouble with SMTP notifications
Post by: dcol on November 14, 2017, 06:22:51 pm

I use Smartermail on one system and Xeams on another. Neither can accept AUTH PLAIN logins. MX records are set depending on the domain.