Re: [pfSense] issue a STARTTLS command
Hello! Hannes Werner wrote: > how did you applyl the patches and where from? Look at the beginning of the thread, a mail from Yehuda, there is a link to the git. Andreas ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] issue a STARTTLS command
how did you applyl the patches and where from? On Thu, Oct 17, 2013 at 9:14 PM, Warren Baker wrote: > On Thu, Oct 17, 2013 at 9:05 PM, Andreas Meyer wrote: > > Hello! > > > > Applied the patches and starttls works fine > > > > > Cool - good to hear. > > -- > .warren > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list > ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] issue a STARTTLS command
On Thu, Oct 17, 2013 at 9:05 PM, Andreas Meyer wrote: > Hello! > > Applied the patches and starttls works fine > Cool - good to hear. -- .warren ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] issue a STARTTLS command
Hello! Applied the patches and starttls works fine Andreas Yehuda Katz wrote: > As of about a month ago ( > https://github.com/pfsense/pfsense/commit/1cddd59c4ed2341f87cf58d9b67d45c82ffd99d0) > StartTLS is an independant setting and should work no matter what port you > are using. > I do not know whether that code has made it to a release (can log in to > check from where I am now) and I don't know how much that changed the > behavior from before, but it is probably worth a look. > > - Y > > > On Wed, Oct 16, 2013 at 5:53 PM, Andreas Meyer wrote: > > > Hello! > > > > Moshe Katz wrote: > > > > > On Wed, Oct 16, 2013 at 5:41 PM, Andreas Meyer wrote: > > > > > > > Hello all! > > > > > > > > php: /system_advanced_notifications.php: Could not send > > > > the message to i...@anup.de -- Error: 530 5.7.0 Must issue a STARTTLS > > > > command first > > > > > > > > Is starttls possible with pfsense? > > > > > There is a checkbox on the "System" -> "Advanced" -> "Notifications" page > > > that says "Enable SSL/TLS Authentication". Make sure that box is > > checked, > > > and it should work. > > > > Isn't that checkbox for port 465 only? > > php: /system_advanced_notifications.php: Could not send the message to > > i...@anup.de -- Error: could not connect to the host "mail.anup.de": ?? > > > > > > > > Moshe > > > > Andreas > > ___ > > List mailing list > > List@lists.pfsense.org > > http://lists.pfsense.org/mailman/listinfo/list > > ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] issue a STARTTLS command
On Oct 17, 2013, at 3:31 AM, Andreas Meyer wrote: > Warren Baker wrote: > >> On Thu, Oct 17, 2013 at 11:43 AM, Andreas Meyer wrote: >>> I thougt if I set "Notification E-Mail auth username (optional)" >>> with the password, some kind of SASl is used. If I set it, the log says: >>> >>> php: /system_advanced_notifications.php: Could not send the message >>> to i...@anup.de -- Error: server does not require authentication >> >> This means the smtp server does not advertise SMTP AUTH. The smtp >> connection tests for this smtp extension and if it does not find AUTH >> it returns that error. >> That smtp username and password is then used in one of the supported >> authentication methods (eg login, plain, cram-md5 etc.). Its not for >> SASL. >> >> You can double check the server by doing a telnet to the port (25 or >> 587) and sending EHLO fqdn and see what smtp extensions are supported. > > allright, I guess the > 250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 > 250-AUTH=PLAIN LOGIN CRAM-MD5 DIGEST-MD5 > was not offered because of the smtpd_enforce_tls=yes and the MTA > awaited a starttls first. I'll check that again. You can test after starttls with: openssl s_client -connect fqdn:25 -starttls smtp Then EHLO somefqdn ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] issue a STARTTLS command
Warren Baker wrote: > On Thu, Oct 17, 2013 at 11:43 AM, Andreas Meyer wrote: > > I thougt if I set "Notification E-Mail auth username (optional)" > > with the password, some kind of SASl is used. If I set it, the log says: > > > > php: /system_advanced_notifications.php: Could not send the message > > to i...@anup.de -- Error: server does not require authentication > > This means the smtp server does not advertise SMTP AUTH. The smtp > connection tests for this smtp extension and if it does not find AUTH > it returns that error. > That smtp username and password is then used in one of the supported > authentication methods (eg login, plain, cram-md5 etc.). Its not for > SASL. > > You can double check the server by doing a telnet to the port (25 or > 587) and sending EHLO fqdn and see what smtp extensions are supported. allright, I guess the 250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 250-AUTH=PLAIN LOGIN CRAM-MD5 DIGEST-MD5 was not offered because of the smtpd_enforce_tls=yes and the MTA awaited a starttls first. I'll check that again. Thank you! Andreas ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] issue a STARTTLS command
On Thu, Oct 17, 2013 at 11:43 AM, Andreas Meyer wrote: > I thougt if I set "Notification E-Mail auth username (optional)" > with the password, some kind of SASl is used. If I set it, the log says: > > php: /system_advanced_notifications.php: Could not send the message > to i...@anup.de -- Error: server does not require authentication This means the smtp server does not advertise SMTP AUTH. The smtp connection tests for this smtp extension and if it does not find AUTH it returns that error. That smtp username and password is then used in one of the supported authentication methods (eg login, plain, cram-md5 etc.). Its not for SASL. You can double check the server by doing a telnet to the port (25 or 587) and sending EHLO fqdn and see what smtp extensions are supported. -- .warren ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] issue a STARTTLS command
Hello! Warren Baker wrote: > That commit was not pushed to 2.1 (i have done this now). So it will > be available in the next release. It applies cleanly to 2.1 so you > should just be able to apply that patch to your existing install. ok, I'll do that- > Andreas that TLS option was only aimed at 465 connections where the > actual transport layer is secured. > Port 25 and Port 587 are plaintext ports until STARTTLS is sent which > upgrades the connection from plaintext to a secured one. Yes, this is my understanding of starttls. I only need it if I enforce the MTA to smtpd_enforce_tls=yes. In the LAN that's not implicitly necessary. > Prior to this commit one could only use port 465 (iirc there might > still have been a problem). Port 465 is deprecated (way back in 1998) > as well so its use should be avoided. ok. But I have another problem with the notification email of pfsense. I thougt if I set "Notification E-Mail auth username (optional)" with the password, some kind of SASl is used. If I set it, the log says: php: /system_advanced_notifications.php: Could not send the message to i...@anup.de -- Error: server does not require authentication and the connection to the MTA is lost. If I don't set it, the notification-email is blocked, because the pfsense is considered a dialup-IP. Oct 17 11:37:03 delta postfix/smtpd[27273]: connect from p54B30B6D.dip0.t-ipconnect.de[84.179.11.109] Oct 17 11:37:03 delta postfix/smtpd[27273]: NOQUEUE: reject: RCPT from p54B30B6D.dip0.t-ipconnect.de[84.179.11.109]: 554 5.7.1 Service unavailable; Client host [84.179.11.109] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=84.179.11.109; from= to= proto=ESMTP helo= Oct 17 11:37:04 delta postfix/smtpd[27273]: lost connection after DATA from p54B30B6D.dip0.t-ipconnect.de[84.179.11.109] Oct 17 11:37:04 delta postfix/smtpd[27273]: disconnect from p54B30B6D.dip0.t-ipconnect.de[84.179.11.109] I thougt, this SMTP authentication is used to tell the MTA I'm allowed to send and the check of zen.spamhaus.org comes after that. Andreas > On Thu, Oct 17, 2013 at 12:22 AM, Andreas Meyer wrote: > > Hell! > > > > I tried with both, port 587 and port 25. I use > > > > 2.1-RELEASE (i386) > > built on Wed Sep 11 18:16:22 EDT 2013 > > FreeBSD 8.3-RELEASE-p11 > > > > nanobsd (4g) > > > > Andreas > > > > > > Yehuda Katz wrote: > > > >> As of about a month ago ( > >> https://github.com/pfsense/pfsense/commit/1cddd59c4ed2341f87cf58d9b67d45c82ffd99d0) > >> StartTLS is an independant setting and should work no matter what port you > >> are using. > >> I do not know whether that code has made it to a release (can log in to > >> check from where I am now) and I don't know how much that changed the > >> behavior from before, but it is probably worth a look. > >> > >> - Y > >> > >> > >> On Wed, Oct 16, 2013 at 5:53 PM, Andreas Meyer wrote: > >> > >> > Hello! > >> > > >> > Moshe Katz wrote: > >> > > >> > > On Wed, Oct 16, 2013 at 5:41 PM, Andreas Meyer wrote: > >> > > > >> > > > Hello all! > >> > > > > >> > > > php: /system_advanced_notifications.php: Could not send > >> > > > the message to i...@anup.de -- Error: 530 5.7.0 Must issue a > >> > > > STARTTLS > >> > > > command first > >> > > > > >> > > > Is starttls possible with pfsense? > >> > > >> > > There is a checkbox on the "System" -> "Advanced" -> "Notifications" > >> > > page > >> > > that says "Enable SSL/TLS Authentication". Make sure that box is > >> > checked, > >> > > and it should work. > >> > > >> > Isn't that checkbox for port 465 only? > >> > php: /system_advanced_notifications.php: Could not send the message to > >> > i...@anup.de -- Error: could not connect to the host "mail.anup.de": ?? > >> > > >> > > > >> > > Moshe > >> > > >> > Andreas > >> > ___ > >> > List mailing list > >> > List@lists.pfsense.org > >> > http://lists.pfsense.org/mailman/listinfo/list > >> > > > > > ___ > > List mailing list > > List@lists.pfsense.org > > http://lists.pfsense.org/mailman/listinfo/list > > > ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] issue a STARTTLS command
That commit was not pushed to 2.1 (i have done this now). So it will be available in the next release. It applies cleanly to 2.1 so you should just be able to apply that patch to your existing install. Andreas that TLS option was only aimed at 465 connections where the actual transport layer is secured. Port 25 and Port 587 are plaintext ports until STARTTLS is sent which upgrades the connection from plaintext to a secured one. Prior to this commit one could only use port 465 (iirc there might still have been a problem). Port 465 is deprecated (way back in 1998) as well so its use should be avoided. On Thu, Oct 17, 2013 at 12:22 AM, Andreas Meyer wrote: > Hell! > > I tried with both, port 587 and port 25. I use > > 2.1-RELEASE (i386) > built on Wed Sep 11 18:16:22 EDT 2013 > FreeBSD 8.3-RELEASE-p11 > > nanobsd (4g) > > Andreas > > > Yehuda Katz wrote: > >> As of about a month ago ( >> https://github.com/pfsense/pfsense/commit/1cddd59c4ed2341f87cf58d9b67d45c82ffd99d0) >> StartTLS is an independant setting and should work no matter what port you >> are using. >> I do not know whether that code has made it to a release (can log in to >> check from where I am now) and I don't know how much that changed the >> behavior from before, but it is probably worth a look. >> >> - Y >> >> >> On Wed, Oct 16, 2013 at 5:53 PM, Andreas Meyer wrote: >> >> > Hello! >> > >> > Moshe Katz wrote: >> > >> > > On Wed, Oct 16, 2013 at 5:41 PM, Andreas Meyer wrote: >> > > >> > > > Hello all! >> > > > >> > > > php: /system_advanced_notifications.php: Could not send >> > > > the message to i...@anup.de -- Error: 530 5.7.0 Must issue a STARTTLS >> > > > command first >> > > > >> > > > Is starttls possible with pfsense? >> > >> > > There is a checkbox on the "System" -> "Advanced" -> "Notifications" page >> > > that says "Enable SSL/TLS Authentication". Make sure that box is >> > checked, >> > > and it should work. >> > >> > Isn't that checkbox for port 465 only? >> > php: /system_advanced_notifications.php: Could not send the message to >> > i...@anup.de -- Error: could not connect to the host "mail.anup.de": ?? >> > >> > > >> > > Moshe >> > >> > Andreas >> > ___ >> > List mailing list >> > List@lists.pfsense.org >> > http://lists.pfsense.org/mailman/listinfo/list >> > > > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list -- .warren ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] issue a STARTTLS command
Hell! I tried with both, port 587 and port 25. I use 2.1-RELEASE (i386) built on Wed Sep 11 18:16:22 EDT 2013 FreeBSD 8.3-RELEASE-p11 nanobsd (4g) Andreas Yehuda Katz wrote: > As of about a month ago ( > https://github.com/pfsense/pfsense/commit/1cddd59c4ed2341f87cf58d9b67d45c82ffd99d0) > StartTLS is an independant setting and should work no matter what port you > are using. > I do not know whether that code has made it to a release (can log in to > check from where I am now) and I don't know how much that changed the > behavior from before, but it is probably worth a look. > > - Y > > > On Wed, Oct 16, 2013 at 5:53 PM, Andreas Meyer wrote: > > > Hello! > > > > Moshe Katz wrote: > > > > > On Wed, Oct 16, 2013 at 5:41 PM, Andreas Meyer wrote: > > > > > > > Hello all! > > > > > > > > php: /system_advanced_notifications.php: Could not send > > > > the message to i...@anup.de -- Error: 530 5.7.0 Must issue a STARTTLS > > > > command first > > > > > > > > Is starttls possible with pfsense? > > > > > There is a checkbox on the "System" -> "Advanced" -> "Notifications" page > > > that says "Enable SSL/TLS Authentication". Make sure that box is > > checked, > > > and it should work. > > > > Isn't that checkbox for port 465 only? > > php: /system_advanced_notifications.php: Could not send the message to > > i...@anup.de -- Error: could not connect to the host "mail.anup.de": ?? > > > > > > > > Moshe > > > > Andreas > > ___ > > List mailing list > > List@lists.pfsense.org > > http://lists.pfsense.org/mailman/listinfo/list > > ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] issue a STARTTLS command
As of about a month ago ( https://github.com/pfsense/pfsense/commit/1cddd59c4ed2341f87cf58d9b67d45c82ffd99d0) StartTLS is an independant setting and should work no matter what port you are using. I do not know whether that code has made it to a release (can log in to check from where I am now) and I don't know how much that changed the behavior from before, but it is probably worth a look. - Y On Wed, Oct 16, 2013 at 5:53 PM, Andreas Meyer wrote: > Hello! > > Moshe Katz wrote: > > > On Wed, Oct 16, 2013 at 5:41 PM, Andreas Meyer wrote: > > > > > Hello all! > > > > > > php: /system_advanced_notifications.php: Could not send > > > the message to i...@anup.de -- Error: 530 5.7.0 Must issue a STARTTLS > > > command first > > > > > > Is starttls possible with pfsense? > > > There is a checkbox on the "System" -> "Advanced" -> "Notifications" page > > that says "Enable SSL/TLS Authentication". Make sure that box is > checked, > > and it should work. > > Isn't that checkbox for port 465 only? > php: /system_advanced_notifications.php: Could not send the message to > i...@anup.de -- Error: could not connect to the host "mail.anup.de": ?? > > > > > Moshe > > Andreas > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list > ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] issue a STARTTLS command
Hello! Moshe Katz wrote: > On Wed, Oct 16, 2013 at 5:41 PM, Andreas Meyer wrote: > > > Hello all! > > > > php: /system_advanced_notifications.php: Could not send > > the message to i...@anup.de -- Error: 530 5.7.0 Must issue a STARTTLS > > command first > > > > Is starttls possible with pfsense? > There is a checkbox on the "System" -> "Advanced" -> "Notifications" page > that says "Enable SSL/TLS Authentication". Make sure that box is checked, > and it should work. Isn't that checkbox for port 465 only? php: /system_advanced_notifications.php: Could not send the message to i...@anup.de -- Error: could not connect to the host "mail.anup.de": ?? > > Moshe Andreas ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] issue a STARTTLS command
On Wed, Oct 16, 2013 at 5:41 PM, Andreas Meyer wrote: > Hello all! > > php: /system_advanced_notifications.php: Could not send > the message to i...@anup.de -- Error: 530 5.7.0 Must issue a STARTTLS > command first > > Is starttls possible with pfsense? > > Greetings > > Andreas > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list > There is a checkbox on the "System" -> "Advanced" -> "Notifications" page that says "Enable SSL/TLS Authentication". Make sure that box is checked, and it should work. Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] issue a STARTTLS command
Hello all! php: /system_advanced_notifications.php: Could not send the message to i...@anup.de -- Error: 530 5.7.0 Must issue a STARTTLS command first Is starttls possible with pfsense? Greetings Andreas ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list