This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Testing SMTP for Executive Reports

I switched hosting providers last Friday, and now I am not getting daily executive reports. There were no problems with the previous hosting service. I am still tweaking the settings in Management->Notifications->Advanced, and also just updated the FQDN for the outbound mail server in Definitions & Users->Network Definitions. Here is my question:

-> Is there an easy way to get the UTM to test its email notification settings by forcing it to send an email message immediately, instead of waiting for the daily report to be sent?



This thread was automatically locked due to age.
Parents
  • Try to login to WebAdmin using  an incorrect password.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Brilliant answer. Thanks.

    The error in the logs shows that the connection is dropped. I believe that the UTM rejecting the hosting service's SMTP server certificate, which is signed by a chain of Comodo certificates.

    I had the same problem with my Mac, which did not recognize the root certificate. I had to add the mail server certificate to the Mac as a trusted certificate (just the one mail server certificate) to get it to send my personal email via secure SMTP.

    The obvious question is: 

    How do I load the hosting service's mail server certificate into the UTM so that it will be trusted for outbound UTM email? 

  • I think it's more likely that their server is not accepting mail from the UTM, but I could be wrong.  Please show the lines from the SMTP log related to an undelivered notification.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I still wonder about the certificate chain from the hosting provider's mail server. I noticed that the UTM seems to want to connect over port 587 (non-secure) even though the setting is configured for port 465. See the following two lines, extracted from the larger slice of the log below:

    2016:06:22-01:05:28 myutm postfix/smtp[60867]: CLIENT wrappermode (port smtps/465) is unimplemented
    2016:06:22-01:05:28 myutm postfix/smtp[60867]: instead, send to (port submission/587) with STARTTLS

    Here is a larger slice of the log:

    2016:06:22-01:05:28 myutm notifier[61386]: processing notification request for INFO-723
    2016:06:22-01:05:28 myutm notifier[61386]: successfully processed request for notification
    2016:06:22-01:05:28 myutm postfix/pickup[59889]: C7F6122439: uid=0 from=<myutm@example.com>
    2016:06:22-01:05:28 myutm postfix/cleanup[61395]: C7F6122439: message-id=<5706-61386-1466582728@myutm.example.com>
    2016:06:22-01:05:28 myutm postfix/qmgr[59890]: C7F6122439: from=<myutm@example.com>, size=384473, nrcpt=1 (queue active)
    2016:06:22-01:05:28 myutm postfix/smtp[60867]: CLIENT wrappermode (port smtps/465) is unimplemented
    2016:06:22-01:05:28 myutm postfix/smtp[60867]: instead, send to (port submission/587) with STARTTLS
    2016:06:22-01:06:17 myutm postfix/postfix-script[61565]: refreshing the Postfix mail system
    2016:06:22-01:06:17 myutm postfix/master[6576]: reload -- version 2.11.0, configuration /etc/postfix
    2016:06:22-01:06:17 myutm postfix/qmgr[61571]: C7F6122439: skipped, still being delivered
    2016:06:22-01:06:24 myutm notifier[4696]: loading config version 117
    2016:06:22-01:06:27 myutm notifier[61696]: processing notification request for INFO-306
    2016:06:22-01:06:27 myutm notifier[61696]: mail notifications for INFO-306 are disabled
    2016:06:22-01:06:27 myutm notifier[61696]: successfully processed request for notification
    2016:06:22-01:06:33 myutm postfix/postfix-script[61843]: refreshing the Postfix mail system
    2016:06:22-01:06:33 myutm postfix/master[6576]: reload -- version 2.11.0, configuration /etc/postfix
    2016:06:22-01:08:13 myutm postfix/smtp[60867]: C7F6122439: to=<myutmadmin@example.com>, relay=hostingservicesmtpserver.example.org[169.254.1.1]:465, delay=165, delays=0.03/0/165/0, dsn=4.4.2, status=deferred (lost connection with hostingservicesmtpserver.example.org[169.254.1.1] while receiving the initial server greeting)
    2016:06:22-01:11:34 myutm postfix/qmgr[61848]: C7F6122439: from=<myutm@example.com>, size=384473, nrcpt=1 (queue active)
    2016:06:22-01:11:34 myutm postfix/smtp[62301]: CLIENT wrappermode (port smtps/465) is unimplemented
    2016:06:22-01:11:34 myutm postfix/smtp[62301]: instead, send to (port submission/587) with STARTTLS
    2016:06:22-01:14:19 myutm postfix/smtp[62301]: C7F6122439: to=<myutmadmin@example.com>, relay=hostingservicesmtpserver.example.org[169.254.1.1]:465, delay=530, delays=365/0.01/165/0, dsn=4.4.2, status=deferred (lost connection with hostingservicesmtpserver.example.org[169.254.1.1] while receiving the initial server greeting)

  • How about a picture of the Smarthost configuration on the 'Advanced' tab?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Here is a screenshot of the settings, plus another log.

    The log shows the lost connection errors, which seem to be asynchronous to the failed login that triggers the message. In case it isn't obvious, I edit the screenshot to hide the real email address, and changed some names and IP addresses to protect the innocent. I note that no "lost connection" error appeared after the second failed login at 11:42. 

    2016:06:22-11:22:14 myutm postfix/postfix-script[42459]: refreshing the Postfix mail system
    2016:06:22-11:22:14 myutm postfix/master[6442]: reload -- version 2.11.0, configuration /etc/postfix
    2016:06:22-11:22:29 myutm notifier[42520]: processing notification request for INFO-306
    2016:06:22-11:22:29 myutm notifier[42520]: mail notifications for INFO-306 are disabled
    2016:06:22-11:22:29 myutm notifier[42520]: successfully processed request for notification
    2016:06:22-11:22:32 myutm postfix/postfix-script[42548]: refreshing the Postfix mail system
    2016:06:22-11:22:32 myutm postfix/master[6442]: reload -- version 2.11.0, configuration /etc/postfix
    2016:06:22-11:25:33 myutm postfix/postfix-script[42879]: refreshing the Postfix mail system
    2016:06:22-11:25:33 myutm postfix/master[6442]: reload -- version 2.11.0, configuration /etc/postfix
    2016:06:22-11:25:39 myutm notifier[4684]: loading config version 42
    2016:06:22-11:25:48 myutm notifier[42966]: processing notification request for WARN-005
    2016:06:22-11:25:48 myutm notifier[42966]: successfully processed request for notification
    2016:06:22-11:25:48 myutm postfix/pickup[42883]: 8E20C22003: uid=0 from=<myutm@example.org>
    2016:06:22-11:25:48 myutm postfix/cleanup[42970]: 8E20C22003: message-id=<3801-42966-1466619948@myutm.example.com>
    2016:06:22-11:25:48 myutm postfix/qmgr[42884]: 8E20C22003: from=<myutm@example.org>, size=845, nrcpt=1 (queue active)
    2016:06:22-11:25:48 myutm postfix/smtp[42972]: CLIENT wrappermode (port smtps/465) is unimplemented
    2016:06:22-11:25:48 myutm postfix/smtp[42972]: instead, send to (port submission/587) with STARTTLS
    2016:06:22-11:25:59 myutm notifier[42992]: processing notification request for INFO-005
    2016:06:22-11:25:59 myutm notifier[42992]: mail notifications for INFO-005 are disabled
    2016:06:22-11:25:59 myutm notifier[42992]: successfully processed request for notification
    2016:06:22-11:28:33 myutm postfix/smtp[42972]: 8E20C22003: to=<sophosadmin@example.org>, relay=secure199.inmotionhosting.com[169.254.1.1]:465, delay=165, delays=0.03/0.01/165/0, dsn=4.4.2, status=deferred (lost connection with secure199.inmotionhosting.com[169.254.1.1] while receiving the initial server greeting)
    2016:06:22-11:28:52 myutm notifier[4684]: loading config version 44
    2016:06:22-11:35:33 myutm postfix/qmgr[42884]: 8E20C22003: from=<myutm@example.org>, size=845, nrcpt=1 (queue active)
    2016:06:22-11:35:33 myutm postfix/smtp[44011]: CLIENT wrappermode (port smtps/465) is unimplemented
    2016:06:22-11:35:33 myutm postfix/smtp[44011]: instead, send to (port submission/587) with STARTTLS
    2016:06:22-11:38:18 myutm postfix/smtp[44011]: 8E20C22003: to=<sophosadmin@example.org>, relay=secure199.inmotionhosting.com[169.254.1.1]:465, delay=750, delays=584/0.01/165/0, dsn=4.4.2, status=deferred (lost connection with secure199.inmotionhosting.com[169.254.1.1] while receiving the initial server greeting)
    2016:06:22-11:42:21 myutm notifier[44632]: processing notification request for WARN-005
    2016:06:22-11:42:21 myutm notifier[44632]: successfully processed request for notification
    2016:06:22-11:42:21 myutm postfix/pickup[42883]: 6258621BF7: uid=0 from=<myutm@example.org>
    2016:06:22-11:42:21 myutm postfix/cleanup[44635]: 6258621BF7: message-id=<3801-44632-1466620941@myutm.example.com>
    2016:06:22-11:42:21 myutm postfix/qmgr[42884]: 6258621BF7: from=<myutm@example.org>, size=844, nrcpt=1 (queue active)
    2016:06:22-11:42:21 myutm postfix/smtp[44637]: CLIENT wrappermode (port smtps/465) is unimplemented
    2016:06:22-11:42:21 myutm postfix/smtp[44637]: instead, send to (port submission/587) with STARTTLS
    2016:06:22-11:42:40 myutm notifier[44677]: processing notification request for INFO-005
    2016:06:22-11:42:40 myutm notifier[44677]: mail notifications for INFO-005 are disabled
    2016:06:22-11:42:40 myutm notifier[44677]: successfully processed request for notification

  • It looks like the inmotionhosting server might be doing greylisting.  Can you have them turn that off for your IP or email address?

    If that isn't it, what happens when you set 'SMTP Port' to 587 and un-check 'Use TLS'?

    If it's still not working, triple-check the Username and Password.  Any luck with any of that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • It looks like the inmotionhosting server might be doing greylisting.  Can you have them turn that off for your IP or email address?

    If that isn't it, what happens when you set 'SMTP Port' to 587 and un-check 'Use TLS'?

    If it's still not working, triple-check the Username and Password.  Any luck with any of that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Greylisting - Not likely since sender and receiver email addresses are are hosted by InMotion Hosting. 

    SMTP - Port to 587. Tested with TLS, failed. I will test again without TLS and let you know. Of course, I would prefer TLS encrypted email. It worked with my old hosting provider.

    Username and Password. I checked the account and I am confident they match. I changed the password yesterday before starting this thread. I pasted the password from the same source into both the email account at InMotion Hosting and the UTM web page.

    I will let you know what I learn.

  • Okay - my bad. I believe that the email passwords may not have matched between the hosting service and the UTM. I can't explain how it would happen when I distinctly remember copy 'n' pasting the same password to both of them. Oh well. 

    Here are the tests that I ran:

    1. I have seen systems that accept long passwords in the entry fields, but then they truncate or otherwise alter them, so I decided to test with an 8 character password. 

    Port 587, TLS off, 8-character password: Email Notification WORKED

    Could it have been a password mismatch after all?

    2. I tried a long, strong password (generated by 1Password):

    Port 587, TLS off, 20-character random password: Email Notification WORKED

    3. I tried the "correct" port 465 with TLS (which worked before with the old hosting provider). I assumed that the problem was only a password mismatch:

    Port 465, TLS on, 20-character random password: Email Notification FAILED

    3. I tried enabling TLS on port 587:

    Port 587, TLS on, 20-character random password: Email Notification WORKED

    At this point, the email message included the note: "The send limit for this notification has been reached. No further notifications of this type will be sent during this period." I don't know how to reset it to get more failed login attempt notifications, nor do I know how long "this period" lasts. Suggestions are welcome. Otherwise, I guess I have to wait until tomorrow.

    I don't have an easy way to sniff traffic on the WAN side of the UTM to verify that the email on port 587 is encrypted over TLS. I suppose I could try an old 10BaseT hub between the UTM and the Ethernet side of the cable modem, but I don't know whether my laptop will sniff packets without an IP address. Suggestions are welcome here, too.

  • Like SMTP over port 25, mail servers since before 2000 use STARTTLS, so all "conversations" are encrypted as soon as the sender identifies itself with EHLO mydomain.com.  TLS may only be needed with port 465 as I don't recall whether it uses STARTTLS.

    You can have a conversation with the other mail server from the command line.  Here's me doing a successful one with Yahoo:

    sophos:/root # telnet mta5.am0.yahoodns.net 25
    Trying 66.196.118.33...
    Connected to mta5.am0.yahoodns.net.
    Escape character is '^]'.
    220 mta1060.mail.bf1.yahoo.com ESMTP ready
    EHLO mydomain.com
    250-mta1060.mail.bf1.yahoo.com
    250-PIPELINING
    250-SIZE 41943040
    250-8BITMIME
    250 STARTTLS
    MAIL FROM:<info@mydomain.com>
    250 sender <info@mydomain.com> ok
    RCPT TO:<u.western87@yahoo.com>
    250 recipient <u.western87@yahoo.com> ok
    QUIT
    221 mta1060.mail.bf1.yahoo.com
    Connection closed by foreign host.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    Here is the latest info:

    TELNET: I tried the telnet "script" above. Here are the results. Note: Port 587 is not open on my UTM firewall:

    * Home computer terminal (through UTM), port 587: Timed out. The "Escape character is..." does not appear. (Remember, this port is not open on the UTM.)

    * Home computer terminal (through UTM, port 465: Saw the "Escape character is...", but nothing else. Connection closed by foreign host appears if I type any command.

    * UTM console as root, port 587: Works as you described in your example. There are slight differences in the accepted command list, but STARTTLS is one of them. 

    * UTM console as root, port 465: Same as port 465 from my home computer above. Any command gets "Connection closed by foreign host"

    Port 587 in Advanced Tab in WebAdmin on UTM (External SMTP Server): 

    This is working. The UTM is sending email notifications and I am receiving them. I have not yet determined whether the email from the UTM to the SMTP server is secured through TLS. I assume so, since the "Use TLS" is checked (enabled) in the WebAdmin interface. I can't explain why this works, because it is not the port that the hosting service wants me to use.

    Port 465 in Advanced Tab in WebAdmin on UTM (External SMTP Server): 

    As I said in previous messages, this doesn't work, but I cannot explain why, especially since this is the port that the hosting services wants me to use. 

    UTM Internal Mail Server (External SMTP Server Disabled):

    This works, too. I have noted before that the UTM appears to have its own mail server. If I disable "External SMTP Server Status" in the Advanced Tab to Off ("0"), the notifications get through.  Frankly, I do not know why this works. You would think that my ISP would prevent me from operating a mail server from my home connection, but apparently not. (A botnet could use the same mechanism to send spam from my home network. Perhaps the ISP allows a time-limited number of outbound status email messages, such as the ones from the UTM, but blocks larger quantities in a short period of time.)

  • The key to the telnet test is running it from the command line of the UTM.

    If you attempt to telnet to an MTA other than your ISP's smart host, you likely will be blocked.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob: "The key to the telnet test is running it from the command line of the UTM."

    As you see, I tried both (Terminal on home computer, command line on UTM as root).

    You are right, the telnet test only worked from the UTM console, and only through port 587. It does not work with port 465, although I can't explain why.

    My email client (Apple Mail) sends email using port 465. Port 587 is not open on the UTM firewall. The UTM itself can ignore the port 587 block when it sends, but obviously it won't work from my home computer behind the UTM unless I enable the port in the firewall.

    I am curious to understand this better, but the truth is that I have two ways to make it work for my specific configurations of UTM, ISP, and hosting provider:

    * Disable External SMTP Server in the Advanced tab, which appears to use a built-in mail server in the UTM. 

    * Enable External SMTP Server in the Advanced tab with port 587, TLS, and Authentication enabled. (The same configuration won't work with the hosting service's recommended port 465.)