Messages

1

24.7 Production Series / Re: OAuth2 support for opnsense/monit?

« on: October 29, 2024, 10:54:32 am »

Postfix is a server and can send emails to other servers. I have never seen Postfix to behave as client and authenticate itself as client - MSA. But mybe it is doable with some specific steps.

For every trusted connection between MTAs it is necessary to establish trust. One way or the other. The simplest way is to configure a trusted relay with a fixed IP. But there are other options.

So use SMTP "AUTH" - and very often plain -simple user/password.
Now MS will remove it and will use OATH authentication.

So no, MS does not remove SMTP AUTH, just changes the auth method and client has to support it.

Indeed, I could have been more succinct. Microsoft is merely altering the authentication method. However, given that most clients, including Monit, lack OAuth2 support, it's unlikely they will adapt by September 2025, if at all.

2

24.7 Production Series / Re: OAuth2 support for opnsense/monit?

« on: October 25, 2024, 03:35:53 pm »

True that.

Sending email to MS365 would be sufficient. But you are right, as there is no trust or authentication established, every email sent will be fully affected by MS365's anti-spam policies. So there will always be a risk of alerts not going through. Not very favorable.

I just checked specifically for OAuth2 support by postfix and sendmail. Nothing. Well, OAuth2 is not part of the SMTP protocol standard (yet). The topic seems to be lingering for quite some time, as I found many posts - some of them years old. Google/Gmail seems to be on the same page.

The question is how this requirement will be handled in the near future. I guess many will be affected next year as soon as MS365 will not support SMTP AUTH anymore, as not everybody runs on fixed IPs. Especially not small businesses.

There is a quite nice and comprehensive OAuth2 CLI to fetch tokens: https://github.com/cloudentity/oauth2c

3

24.7 Production Series / Re: OAuth2 support for opnsense/monit?

« on: October 25, 2024, 02:06:08 pm »

Giving postfix on opnsense a second thought: why would I need a fixed IP? If I run postfix as a purely internal (LAN) smtp relay for my remaining on-premise services (e.g. monit), it wouldn't even need to be published on the WAN, would it? As long as smtp-mail.outlook.com would then accept all emails relayed by opnsense/postfix.

Or do I miss something here?

4

24.7 Production Series / Re: OAuth2 support for opnsense/monit?

« on: October 25, 2024, 01:30:11 pm »

Thanks for the advice, but unfortunately I don't have a fixed public IP address (anymore). I recently moved most of my on-premise services into the cloud(s). Thus, I only maintain a small office network running on opnsense with a dynamic IP. And I use monit to monitor those cloud services.

5

24.7 Production Series / OAuth2 support for opnsense/monit?

« on: October 25, 2024, 01:13:13 pm »

Hi there,

recently Microsoft disabled basic username/password authentication (SMTP AUTH) for smtp-mail.outlook.com: https://tinyurl.com/ypf5w7s5

My company is using Microsoft 365 cloud services and I only realized that because Monit "stopped" sending alert emails. For now I could manually override the disabling, but it would only buy me a year, as MS will remove SMTP AUTH support by September 2025. See link above.

Thus my question: is opnsense/monit able to authenticate via OAuth2? The current configuration webform does not offer this option. My research did not come up with any hints towards OAuth2 support.

Thanks in advance for your support!

6

General Discussion / RRD stats for Monit services?

« on: August 19, 2024, 06:50:51 pm »

Hello,

I would like to track several Monit remote host services (https, etc.) that I monitor against a timeline to visualize e.g. their response times and their down times.

I get the alerts reliably into my Inbox, but I need to "manually" process each email and compile a table to create a summary/visualization of the service availability/quality. So, it would be great to automatize that. OPNsense has a great RRD based reporting engine, so I was wondering if it was possible to connect Monit to it. Please advise!

Thanks, and best regards!

7

General Discussion / Re: DDNS freedns.afraid.org help

« on: June 24, 2024, 02:50:05 pm »

Worked for me too. Thanks.

8

24.1 Legacy Series / Re: 24.1 - Still no GUI list of Unbound DNS's dhcpleases.conf & host_entries.conf?

« on: February 07, 2024, 12:44:16 pm »

Well, I understand that those records are steered/fed by the DHCP service. But still, the DHCP service is the sending end, and the DNS service is the receiving end (as DNS is not directly serving DHCP's config files). In order to check or troubleshoot I would like to be able to see what is actually served to the network by the respective service. On the DHCP side it is clear and viewable, on the DNS side it is not. Further, I would like to see the record types (A, AAAA, CNAME, etc.) and if the FQDNs are correct. So, imho checking a DNS zone is not an uncommon use case.

Best regards!

9

24.1 Legacy Series / Re: 24.1 - Still no GUI list of Unbound DNS's dhcpleases.conf & host_entries.conf?

« on: February 07, 2024, 11:50:45 am »

I created a corresponding feature request in GitHub: https://github.com/opnsense/core/issues/7209

10

24.1 Legacy Series / Re: ddclient updates GoDaddy dns every 300s even if ip has not changed

« on: February 07, 2024, 10:42:54 am »

I created a corresponding issue in GitHub: https://github.com/opnsense/plugins/issues/3805

11

24.1 Legacy Series / 24.1 - Still no GUI list of Unbound DNS's dhcpleases.conf & host_entries.conf?

« on: February 07, 2024, 09:57:47 am »

Hey,

I just tried out the new Kea DHCP service and wanted to check if the DHCP leases and host entries are correctly added and maintained in Unbound. But I realized that there is still no way to check Unbound's config files /var/unbound/dhcpleases.conf and /var/unbound/host_entries.conf via the GUI. It is still necessary to open the console and access the files there.

Could we please get an additional GUI menu item under "/Services/Unbound DNS" where the current host entries and DHCP leases are displayed in a table? What is the point of being able to configure Unbound in the GUI and not being able to list its "resulting" DNS records that are currently being served to the network? This is a fundamental feature. Thanks!

For the record, the topic has already been addressed in the forum: https://forum.opnsense.org/index.php?topic=31871.0

Best regards.

12

24.1 Legacy Series / ddclient updates GoDaddy dns every 300s even if ip has not changed

« on: February 06, 2024, 11:52:43 am »

Hey,

I just changed my ddclient from using freedns to using GoDaddy. The dynamic ip has been checked properly (Interface/WAN) and the respective GoDaddy dns entry has been updated correctly. However, ddclient now seems to "statically" update the GoDaddy dns entry every 300 seconds (as configured in ddclient), but even if the dynamic ip has not changed.

ddclient using GoDaddy now shows a different behavior compared to using freedns, where the freedns dns entry was only updated if the dynamic dns had been changed by the provider.

Is there a reason for this behavior that is imho causing unnecessary traffic?

Best regards!

13

22.7 Legacy Series / Re: How to list all DNS entries in Unbound?

« on: March 16, 2023, 09:49:34 am »

Hi,
 
I've got the same question. I would also be able to display the full list of DNS entries, but did not find a way to do that within OPNsense...

The fact, that 'unbound-control' is disabled by default does not help either:

root@OPNsense:~ # unbound-control list_local_zones
[1678956760] unbound-control[53183:0] warning: control-enable is 'no' in the config file.
[1678956765] unbound-control[53183:0] fatal error: timeout: could not connect to server

Best regards!

14

21.7 Legacy Series / Re: FreeDNS with DynDNS - IP update fails since upgrade to os-dyndns 1.27_1

« on: December 16, 2021, 03:45:23 pm »

Yes! Indeed! The version 2 update interface of FreeDNS had been deactivated. Only god knows why...

Now it works flawlessly again! Thanks @franco!

15

21.7 Legacy Series / Re: Namecheap with DynDNS receives "unknown response" after upgrade to 21.7

« on: December 16, 2021, 01:06:39 pm »

Yes, otherwise it makes it harder to keep track of things.

Done. Please delete all my posts in this thread including this one. Sorry for the inconvenience caused!