pfSense cannot send email using MIAB

I am using the current version of pfSense and trying to use a fully updated MIAB linode. When I try to test using pfSense I get Failed to connect to ssl://box.{severname}.net:587 [SMTP: Failed to connect socket: stream_socket_client(): unable to connect to ssl://box.{servername}.net:587 (Unknown error) (code: -1, response: )]. By the way, there are no issues when working with Gmail. But I know Gmail may be pretty liberal with what they accept.

I am able to connect from the same network using Outlook 2016 so it is not a firewall issue on either side. I spoke with Netgate (pfSense) support and they think it must be an issue with MIAB.

My question is how can I get a complete transcript of the SMTP conversation on the MIAB side?

Thanks in advance!
Paul.

Anyone have any ideas on this?

What do your MiaB logs say about the connection attempt? Show the appropriate entry and someone may be able to assist.

Which/where is the log?

I’d start with the mail log located at:

/var/log/mail.log

You can open a SSH session to your box and then use the following command to see the last 20 or so lines of the log

sudo tail -f /var/log/mail.log

With that window open try connecting with pfSense. You should see the connection attempt and any messages as this will show the current activity of the log file in the terminal.

If you are connecting TO the pfsense MIAB virtual machine from OUTSIDE the network, pfSense will need it’s firewall modified as well as your modem / hardware firewall as well to allow ports:

• 25
• 587
• 993
• 80
• 443

At the very least. for a complete setup ports 53(UDP) and 22(TCP) should be allowed as well but not required in all setups.

What is your configuration (e.g., local network with pfSense gateway connecting to MiaB located outside the network; local network with pfSense gateway connecting to MiaB on local device and LAN; local network with pfSense gateway connecting to MiaB on local device but separate network, etc.)?

Here is the log.

https://pastebin.com/1NtBptYB - I could not paste the log as it was interpreted as having too many links.

Here is a diagram - this is not working from multiple locations.

Drawing1.jpg1028×259 19.8 KB

I have a pfSense in my office.

If I try to use Outlook on my LAN - MIAB is just fine.

If I then try to configure pfSense to use MIAB then it fails with the following error:

Could not send the message to incident3@company.com – Error: Failed to connect to ssl://box.company.net:587 [SMTP: Failed to connect socket: stream_socket_client(): unable to connect to ssl://box.company.net:587 (Unknown error) (code: -1, response: )]

OH!!! That makes more sense, I thought you were using pfsense as a VM host. According to the configuration you selected, you are trying to use SSL (STARTTLS is different from SSL over SMTP AFAIK) either change the protocol used from SSL to STARTTLS or change the port from 587 to 465.

Ok - so I changed the port to 465 and left Secure SMTP Connection, Enable SMTP over SSL/TLS checked. I do not see that pfSense supports STARTTLS. Now I get:

Could not send the message to incident3@company.com – Error: Failed to connect to ssl://box.company.net:465 [SMTP: Failed to connect socket: Operation timed out (code: -1, response: )]

For giggles, just to make sure it can connect in SOME way, disable SSL/TLS, disable the secure SMTP and change port to 25. Just for giggles. If that works I can probably find a config that works, if not then you need to check your firewall.

Also, can you screenshot your current config too? (be sure to clear any sensitive infos!)

I just tried port 25 - this is what I got:

Could not send the message to incident3@company.com – Error: Failed to add recipient: incident3@company.com [SMTP: Invalid response code received from server (code: 554, response: 5.7.1 Service unavailable; Client host [73.186.225.94] blocked using zen.spamhaus.org; https://www.spamhaus.org/query/ip/73.186.225.94)]

which is because we are on Comcast - https://www.spamhaus.org/pbl/query/PBL1625036

so it looks like I cannot test it…

Is there a way to turn off blocking temporarily.

Which config do you want a screen shot of?

Your server blocked you because the ip pfsense is using is in a blacklist. Contact Spamhaus to get it removed it literally tells you there in the message

Looks like it can’t be removed:

73.186.0.0/16 is listed on the Policy Block List (PBL)

Outbound Email Policy of Comcast for this IP range:

Email sent by Comcast subscribers using a mail program such as Outlook Express are required to send the email through Comcast. To insure your mail program is properly configured, please visit Discovery Hub - News & Technology. If you are a Comcast Commercial Services customer and need support, please contact support_biz@cable.comcast.com

Removal Procedure

Removal of IP addresses within this range from the PBL is not allowed by the netblock owner’s policy.

I really hope I never have to use Comcast.

I love comcast! and funny enough I only use webmail when at home, so that ToS bit doesn’t apply to me.

This is where email server admins need to stop and pause. It’s one thing to have an “easy to run” email server, and kudos to Josh for all his hard work. BTW but understanding email concepts is important.

Email servers shouldn’t be run for example on IP address ranges that are allocated by DHCP - this is because even if they don’t change very often (and I’ve had my current Virgin Media cable IP for over a year now), they MAY change.

To that end email reaching Mail exchangers SHOULD NEVER come from one of these IP addresses.

This has prompted the creation of a number of Policy Blacklists which include as many known DHCP allocated IP ranges as possible. Two of the most well known are:

Spamhaus PBL
SORBS DUHL

Note that if you are on the PBL you will also be included in Spamhaus’ Zen blacklist which is a master list of all the different zones that they have, this enables mail exchanger admins to make one single query that covers all Spamhaus’ blacklists.

Email programs aren’t affected as most mail clients talk to dedicated email servers that authenticate the connection via different means before accepting the email.

Edit - Indeed even MIAB treats mail coming on on port 25 differently to mail coming in on port 587 for precisely this reason, in the former it’s acting as a mail exchanger, in the latter it’s acting as a submission server.

You did see the part where the OP stated the MiaB is on Linode, and the offending IP address is the one assigned to the pfSense gateway network device?

I am actually confused about what email address pfSense is using to send email, because the IP address of a MUA (which is effectively what pfSense uses), should not impact mail, and the Spamhaus page seems to communicate that mail has to be proxied through Comcast. I’ve got an information gap some place.

I had been using a Gmail account for sending messages from my pfSense gateway, so after reading this post I decided to use an MiaB address.

Here are the key settings I have configured for this to work:

SMTP Port of E-Mail server: 587
Validate SSL/TLS: check
Notification of E-Mail auth mechanism: LOGIN (also works with PLAIN)

Be sure to save before clicking Test SMTP Settings.

Although Spectum is far superior to Comcast because it does not put my IP address on any blacklists, pfSense is only behaving as a MUA, so MiaB should not be concerned about blacklisted IP address access for clients.

I missed this part although if you look at my post it does explain the reason. When did MIAB start using Spamhaus BTW?

It you have a look at this part of what I posted it explains why he’s being blacklisted.

First thing @parisi could do is have a look at Pfsense to see if there’s any updates to allow it to send using Port 587. Alternatively there are two possibilites I could think of.

1. Configure postfix to accept mail on port 465 SSL/TLS
2. Set up Stunnel on the server to tunnel connections from port 465 SSL/TLS to port 587 StartTLS.

Tim