Monit will not send out email alerts, gets connection errors

[fbeye]

Hello. So even while Monit errors out connecting to the mail server, I am sending and receiving from the mail server. I hate words like "it's OPNSense" because it most likely is me, but I can indeed verify that the mail server I inputted indeed works from my iPhone and laptop, so I do assume it is an issue on OPN.

This is the log, newest to oldest;

2024-12-28T10:11:30-07:00   Error   monit   Aborting event   
2024-12-28T10:11:30-07:00   Error   monit   Mail: Delivery failed -- no mail server is available   
2024-12-28T10:11:30-07:00   Error   monit   Cannot open a connection to the mailserver mail.mydomain.org:25 -- Operation now in progress   
2024-12-28T10:11:30-07:00   Error   monit   Cannot connect to [mail.mydomain.org]:25 -- Connection timed out   
2024-12-28T10:11:00-07:00   Informational   monit   'OPNsense.localdomain' Monit reloaded   
2024-12-28T10:10:59-07:00   Informational   monit   Reinitializing Monit -- control file '/usr/local/etc/monitrc'

[Patrick M. Hausen]

Logon to OPNsense via SSH, enter

telnet mail.mydomain.org 25

Report what you get. Possibly run a tcpdump in parallel. Check the firewall live log in parallel.

[fbeye]

Geeze

live log scrolls so fast I have no idea what I am reading and to dump is even worse.

As far as Telnet mail.domain.org 25 it just 'trying x.x.x.180' and sits.

Now, not sure if this matters but the OPNSense firewall and the email server both reside at the house, could there be a dns issue because it is local?

[Patrick M. Hausen]

Hardly. Because if it tells you "trying x.y.z.180" DNS resolution apparently was successful already.

So for some reason OPNsense cannot reach that IP address on port 25. Might be a firewall on the mail server, a route on OPNsense pushing the packets into a VPN tunnel ... almost anything.

Use tcpdump to watch if the initial TCP SYN packet leaves through the right interface. Use tcpdump on the mail server to check if it ever arrives. If it does, check if the mail server sends a SYN/ACK in return and where that goes etc.

[fbeye]

Alright, so;

MAIL SERVER, tcpdump -I eth0 port 25
   When I send and receive an email through my iphone, tcpdump scrolls like crazy during the transmission
   When I restart Monit, and it errors like I posted first post, it sits with no activity.
OPNSENSE, tcpdump -I vtnet0 [i also tried vtnet1] port 25
   No matter what I do, the tcpdump results sit and no flow.


BELOW are the Opnsense results.

tcpdump -i vtnet1 port 25
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on vtnet1, link-type EN10MB (Ethernet), snapshot length 262144 bytes

tcpdump -i vtnet0 port 25
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on vtnet0, link-type EN10MB (Ethernet), snapshot length 262144 bytes

[Patrick M. Hausen]

So OPNsense is sending these packets somewhere else. Like I guessed a VPN connection, possibly? Did you try a traceroute? netstat -rn? Is that mailserver on a local interface to OPNsense or behind another router? vtnetX suggests all of this is virtualised which of course might also come into play. Proxmox? Bridges? What about the hypervisor firewall?

You have a network problem. Hunt down where the packets get stuck. Only way to solve.

[fbeye]

Not sure.

netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            75.160.240.27      UGS      pppoe0             [The default GW my PPPoE grabs that is not part of my Block of 8 static ip's]
75.160.240.27      link#8             UH       pppoe0
127.0.0.1          link#3             UH          lo0
172.16.2.0/24      link#1             U        vtnet0
172.16.2.1         link#3             UHS         lo0
192.168.1.0/24     172.16.2.2         UGS      vtnet0
192.168.2.0/24     172.16.2.2         UGS      vtnet0
192.168.3.0/24     172.16.2.2         UGS      vtnet0
192.168.4.0/24     172.16.2.2         UGS      vtnet0
192.168.5.0/24     172.16.2.2         UGS      vtnet0
192.168.6.0/24     172.16.2.2         UGS      vtnet0
207.108.121.180    link#3             UHS         lo0             [This is the virtual IP we are dealing with]
207.108.121.181    link#3             UHS         lo0             [Only way Caddy works/talks to LAN proxies is if I add link3 as GW, if I use link8   
                                                                   it wont work]
207.108.121.182    link#8             UH       pppoe0             [This IP,main default WAN IP that PPPoE grabs automatically grabs link8 for GW]

Internet6:
Destination                       Gateway                       Flags     Netif Expire
::1                               link#3                        UHS         lo0
fe80::%lo0/64                     link#3                        U           lo0
fe80::1%lo0                       link#3                        UHS         lo0

traceroute mail.fbeye.org
traceroute to mail.domain.org (207.108.121.180), 64 hops max, 40 byte packets
 1  mail.domain.org (207.108.121.180)  0.293 ms  0.173 ms  0.123 ms

telnet mail.domain.org 25
Trying 207.108.121.180...
telnet: connect to address 207.108.121.180: Connection refused
telnet: Unable to connect to remote host

I have No VPNS or anything....

[Patrick M. Hausen]

Connection refused is fundamentally different from a timeout as you first stated. Is your mail server listening on port 25 at all or are all your other devices using port 587 or 465? Use "netstat -na" on the mailserver to check.

What about a firewall on the mail server?

[fbeye]

I am just curious. When OPNSENSE is sending out email via Monit, and being my email address is "local" is it leaving to the internet then back in or is it just sending and receiving locally via 'network logic' ?
Also, as far as OPNSense Firewall, I only have 993 and 25 open for the Email Server


tcp        0      0 0.0.0.0:63283           0.0.0.0:*               LISTEN
tcp        0      0 localhost:ipp           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:45387           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:imap            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:smtp            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:sunrpc          0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:smtps           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:submission      0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:imaps           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:52299           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:52711           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:36849           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:2280            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:nfsd            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:38131           0.0.0.0:*               LISTEN
tcp6       0      0 [::]:58035              [::]:*                  LISTEN
tcp6       0      0 [::]:43699              [::]:*                  LISTEN
tcp6       0      0 [::]:50803              [::]:*                  LISTEN
tcp6       0      0 [::]:http               [::]:*                  LISTEN
tcp6       0      0 [::]:sunrpc             [::]:*                  LISTEN
tcp6       0      0 [::]:33445              [::]:*                  LISTEN
tcp6       0      0 [::]:52405              [::]:*                  LISTEN
tcp6       0      0 [::]:2280               [::]:*                  LISTEN
tcp6       0      0 [::]:nfsd               [::]:*                  LISTEN
tcp6       0      0 [::]:34861              [::]:*                  LISTEN
tcp6       0      0 localhost:ipp           [::]:*                  LISTEN

[fbeye]

Also no, no firewall at all on Slackware email server

[Patrick M. Hausen]

I assumed you configure an explicit outbound SMTP relay in monit? Don't you? About every application I know has a setting like that. OPNsense - unless you install the postfix plugin - does not run an MTA itself. So if you want to send mail, the application in question should support configuring one.

With no MTA configured the fallback is to lookup the MX records for the receipient domain and try SMTP to these servers.

[fbeye]

All I did in monet was

mail server address : mail.domain.org
mail server port    : 25
mail server username : username
mail server password : password

Those are the only mail related questions.

Other than that I have no other email settings at all in opns.

Unless monit would use the postfix plugin to send?

[Patrick M. Hausen]

Have you tried the IP address instead of mail.domain.org? And mail.domain.org is your internal Slackware mail server?

[fbeye]

Yes, x.x.x.180 is mail.domain.org and mail.domain.org is x.x.x.180...

I just tried, for fun, to use the LAN IP of the mail server, 192.168.1.180 and it works. For some reason when using the WAN IP or DOMAIN it gets blocked.

[Patrick M. Hausen]

Ah ... so that's the WAN IP of OPNsense and you have an inbound firewall rule permitting that? When Monit opens that SMTP connection it does not come in the WAN interface, so that rule does not apply. Your other devices are probably served by NAT reflection but that also does not work for connections originating on OPNsense.

And I trying to help you had no idea you were not using the real IP address of the mail server.

So I guess we can consider this solved.