SMTP Notification over SSL/TLS not working #1983
Comments
|
Although the symptoms are similar to what some pfSense users experience. The causes are totally different. In the OPNsense case it is caused by notices.smtp.inc: fsockopen being passed the IP address instead of domain name. Thus certificate validation fails. To test, "$ip" can be replaced with "$domain" in the 2 fsockopen calls. I just track this down a few minutes ago. So fresh off the press. Of course the SMTP server has to present a certificate that is trusted by the client (OPNsense). So if you signed your own, the CA will need to be added. |
|
We don't really use the notifications, there are only a few places left where they are triggered. Maybe monit is a better alternative to receive status messages. |
|
Since it is available and being used it would seem appropriate for it to be functional. And secure. As it stands SMTPS fails due to certificate being verified against IP address instead of domain. And STARTTLS is open to MITM due to peer verifications being disabled. Perhaps that was done to accommodate the fsockopen using IP address instead of domain. Passing $domain to fsockopen instead of $ip allows both SMTPS and STARTTLS (if verifications enabled) to establish secure connections. |
|
@NOYB in case you would like to work on a fix, certainly feel free to do so and offer a pull request. |
|
More interested in the architect correcting the security hole they created. Already provided an outline of what needs to be done. |
|
discussed here recently: https://forum.opnsense.org/index.php?topic=7165.0 |
|
Overcome by #2919 |
Hi,
The SMTP notification is not working with some providers or in generally when "Enable SMTP over SSL/TLS" is checked.
Dec 8 22:03:11 | opnsense: /system_advanced_notifications.php: Could not send the message to me@home.de -- Error: could not connect to the host "smtp.strato.de": ??
-- | --
When I disable SSL/TLS and use port 587 the notification will be send out.
My OPNsense vesion is OPNsense 17.7.9_8-amd64. I'm new with OPNsense so I don't know since which version this issue appears.
Because I've found a post in the German OPNsense forum which descripes the same behaviour with another provider, and the same issue in the pfSense bug list I think it could be also a bug in OPNsense.
German forum: https://forum.opnsense.org/index.php?topic=6263.msg26469#msg26469
pfSense bug: https://redmine.pfsense.org/issues/5604
Thank you.
Jas Man
The text was updated successfully, but these errors were encountered: