Alerts without (external) mail?

[benni2]

hi folks,

i'm just setting up a freenas system that is not allowed to go online.

still, i'd like to be alerted when something goes wrong in the system. i have no mailserver in the local network, so i can't send mails from the fileserver to other machines.

what's the easiest way to get critical alerts anyway? is there a built-in function that i can use? or can i send emails to the local (freenas) server which i could put to other machines via scp?

i'd greatly appreciate your help.

cheers,
benni

 

[Nick2253]

You can easily set up an SMTP relay on your network using a jail (or VM, etc) if you want to go that route. That would let you use an external mail, but your FreeNAS system wouldn't go online.

 

[melloa]

Or you can setup a mail server on a jail of that FreeNAS or another box and get it from there.

 

[benni2]

thank you very much for your answers.

well, i messed around with mail servers before and find it very exhausting to config all the (security) options.
is there a how-to for creating a smtp relay and using it with freenas somewhere? i think, i could let a VM run on my windows machine. it would probably be fine with 256 mb of ram.

OR are there any other options? i found a script in this board where the daily messages are analyzed and sent only when there was something important in it. but i'm more interested in the critical alerts that are sent instantly. if i copied a file with the error message over the LAN to another machine i could setup an alarm script myself.

 

[Nick2253]

is there a how-to for creating a smtp relay and using it with freenas somewhere?

There are a ton of guides out there for setting up an SMTP relay. Your best bet will probably be to use ssmtp. A search for "ssmtp freebsd" or "ssmtp relay" will probably get you all you need.

 

[benni2]

ok, thanks for the answer... i did a little bit of research so far.. in my understanding, i should install the relay (ssmtp) on an extra server that is connected to the internet, right?
i'm just confused because you said, i should install it in a jail on freenas. and my freenas is -as i said before- not able to go online. but it's able to reach the rest of my LAN.

 

[Nick2253]

ok, thanks for the answer... i did a little bit of research so far.. in my understanding, i should install the relay (ssmtp) on an extra server that is connected to the internet, right?
i'm just confused because you said, i should install it in a jail on freenas. and my freenas is -as i said before- not able to go online. but it's able to reach the rest of my LAN.

A jail is a sort of pseudo-VM, with its own IP address, isolated from the host (https://en.wikipedia.org/wiki/FreeBSD_jail). Even if your FreeNAS server itself is not able to get online, a jail could (or vice versa).

If having any service on that physical server connect to the internet is not allowable by your policy, then yes, you'd have to set up a different server for your relay.

 

[melloa]

ok, thanks for the answer... i did a little bit of research so far.. in my understanding, i should install the relay (ssmtp) on an extra server that is connected to the internet, right?
i'm just confused because you said, i should install it in a jail on freenas. and my freenas is -as i said before- not able to go online. but it's able to reach the rest of my LAN.

Aren't you over engineering? If your FN can access the rest of your "LAN" why can't you setup a mail server on your "LAN" and get your e-mails alerts from it? I'd say that there are million ways to do that, but all beyond FN configuration.

 

[benni2]

thank you for both your answers...

the nicer way would be to have my mail server in the LAN, so no mail service has to go online and expose its potential security issues. but at least what i experienced so far, is, that a real MTA (postfix) is crazy complicated. and that would be totally over engineered.
if you know a real lightweight mail server software, then i'm happy to test that.

 

[Mirfster]

Maybe this will help a little "Sending EMail from Script Running in Jail".

 

[melloa]

thank you for both your answers...

the nicer way would be to have my mail server in the LAN, so no mail service has to go online and expose its potential security issues. but at least what i experienced so far, is, that a real MTA (postfix) is crazy complicated. and that would be totally over engineered.
if you know a real lightweight mail server software, then i'm happy to test that.

I know nothing about Linux or BSD. I used Slackware 30 years ago for awhile before moving to OS/2 and, with it's death, Windows. Re-started my walked back to Linux and BSD one year ago and had a mail server running in a couple days. It is not that complicated and you can do it following the several guides out there or the suggestion above from @Mirfster.

 

[benni2]

ok, i just read that basically all mail providers block mails from computers with a variable ip. so, a relay is not an option.

isn't there an easier way? - i mean, if i enable internet access on my freenas, emails will get sent away. so there is probably a local mail queue that i could copy to another machine via script. but i can't figure out where to look for that?

@melloa: sounds great. but even if that huge thing is properly set up, it needs to be maintained constantly - and i'm not willing to do that.

 

[Nick2253]

ok, i just read that basically all mail providers block mails from computers with a variable ip. so, a relay is not an option.

Your conclusion is wrong. A relay in this case would be used to relay mail from a sending machine (FreeNAS) to an outgoing SMTP server (like Gmail, Yahoo Mail, Outlook Online, your ISP, etc.). What mail providers are blocking is an authoritative SMTP server at a variable IP address, which is not what you'd be using the relay for.

Really, the easy way is setting up an SMTP relay. That's exactly the point of the relay.

 

[Spearfoot]

@benni2, would you tell us about your network setup? If your LAN is parked behind a router/gateway with a good fireall, then your FreeNAS system isn't open to the internet unless you use NAT pinholes or some kind of direct passthrough to relay inbound traffic to it. There's little danger in allowing your FreeNAS system to make an outbound connection to gmail or yahoo or whatever mailserver hosts your email account. My system is set up this way; my FreeNAS servers aren't open to inbound traffic from the internet and yet send me mail, update themselves from iXsystem's update server, etc.

I'm just curious why you don't want any kind of connection from your FreeNAS server to the internet.

 

[Nick2253]

I'm just curious why you don't want any kind of connection from your FreeNAS server to the internet.

You're exactly right; this is probably what we should be talking about.

My original assumption was that this was some sort of corporate policy, but looking back through the thread, now I'm not so sure. Even if it is a corporate policy, is it being interpreted correctly? There's a huge difference between an internet facing server and a server that's capable of going on the internet.

 

[melloa]

You're exactly right; this is probably what we should be talking about.

My original assumption was that this was some sort of corporate policy, but looking back through the thread, now I'm not so sure. Even if it is a corporate policy, is it being interpreted correctly? There's a huge difference between an internet facing server and a server that's capable of going on the internet.

Agree.

 

[benni2]

ok, thanks for all your replies.. and thanks for ellaborating the idea with the relay. maybe that IS the best thing to do.

to answer all your questions: no, it's not a corporate policy, it's just a private machine that shouldn't be hacked, so that i don't lose my data.
LAN-setup (all in the same subnet):
- freenas (doesn't know the gateway ip and is hereby offline)
- other pcs
- cheap consumer router with built-in firewall.

 

[Spearfoot]

ok, thanks for all your replies.. and thanks for ellaborating the idea with the relay. maybe that IS the best thing to do.

to answer all your questions: no, it's not a corporate policy, it's just a private machine that shouldn't be hacked, so that i don't lose my data.
LAN-setup (all in the same subnet):
- freenas (doesn't know the gateway ip and is hereby offline)
- other pcs
- cheap consumer router with built-in firewall.

Do realize that if any of the PCs on your LAN have internet connectivity -- as I suspect they must, else you wouldn't be posting on the forum! -- then your FreeNAS server is already exposed to the internet, albeit indirectly through them, viz., if some hacker gains access to one of your PCs, said hacker will have access to everything on your LAN. FreeNAS can be set up to only allow SSL-encrypted connections to the GUI, which mitigates risk somewhat. But CIFS shares, etc., are vulnerable. There are security tutorials available; read them and harden your system.

Provided you exercise reasonable caution, you really don't need to worry about anyone accessing your FreeNAS server unless you consciously grant inbound access to it yourself. And that won't happen without an effort on your part using NAT port forwarding or other techniques as I mentioned earlier. Or unless you're using a really awful router. And we might be able to help you with that, if you'll divulge the brand and model.

Meanwhile, in the interest of saving everyone's time, I suggest you configure your FreeNAS server to send you emails in the standard way, because sending outbound email messages doesn't expose it any more than it's already exposed.

Good luck!

 

[benni2]

thank you for your answer, spearfoot.

you have a point, there. so i'll do the easiest way possible and just activate the internet-access for the freenas system :) but i really have to check for those security-guides.

thanks again for all your effort and all your patience, everyone.