Unfortunately, sending notification emails from a Unifi Cloud Gateway (UCG) with remote management disabled, is not all straight forward. Here are some tips, though it will end with a disappointment.
Check list:
- Send a test email
- Weird stuff for local email servers
- Configure an email address for the admin user
- Configure an alert
- Wait for Ubiquiti to fix it
1. Send a test email
In 'Settings', 'General', setting 'Email Services', select 'Custom Server'. Fill in the details and press 'Send test email'. If it works, skip to section 3, otherwise, read on.
As 'SMTP Server' you need to fill in the fully qualified hostname of the email server. The hostname must match the DNS name in the TLS certificate of the email server. If there is a mismatch, UCG will reject the connection. Therefore, an IP address does not work!
The standardized SMTP submission port is 587, with SSL disabled. No worries, due to STARTTLS the traffic is still encrypted.
If port 587 does not work, your email server may support the legacy port 465, with SSL enabled.
If that also does not work, you may try port 25 with SSL disabled (again, STARTTLS should encrypt the traffic).
2. Weird things for local email servers
Something odd happens when the DNS name of the email server actually resolves to the UCG, and you have port forwarding for port 25 and 587 to the local device that contains the email server.
The problem is that 'hairpinning' does not fully work on the UCG. Ubiquiti describes hairpinning as follows (source):
When a device on the local network attempts to connect to the public IP address of the UniFi gateway, the traffic is redirected internally, ensuring that port forwarding rules apply as they would for external requests.
Hairpinning is super useful, but Ubiquiti's interpretation is not good enough! To reach the email server, the UCG itself should also be able to use hairpinning. Unfortunately, this is not supported.
Luckily, I learned a workaround from Ubiquiti's support staff. We can give the local email server a 'local DNS record', a kind of a DNS override. We set the local DNS record equal to the fully qualified hostname (e.g, mail.example.com) of the email server. After this change, any DNS client in the local network, including the UCG itself, resolves mail.example.com to the IP address of the local device and not to the public IP address of the UCG.
Here is how to set this up: in 'Client Devices', click the device that runs the email server. In the left panel click the cog-icon (settings). Check 'Local DNS Record' and enter the fully qualified hostname of the email server, and click 'Apply Changes'.
We check can that it works by using something like dig from any machine in the local network:
# Before
% dig +short mail.example.com
1.1.1.1 # some public IP address
# After
% dig +short mail.example.com
192.168.1.24 # a local IP addressTry another test email (see section 1) before you continue.
3. Configure an email address for the admin user
Click 'Admin and users' (bottom left icon), click the relevant user. In the left panel click the cog-icon (settings). Enter the email address, and click 'Apply Changes'.
4. Configure an alert
Click 'Alarm Manager' (second icon from bottom left). Select all alarms you want to receive an email for. Then in the left panel make sure 'Email' is selected and click 'Save'. If you create new alarms, you may have to repeat the process.
5. Wait for Ubiquiti to fix it
If you have gotten this far (like I have), it was all for nothing. According to this discussion, you won't get email notifications, unless you enabled Remote Management, if only for 1 second.
I have reached out to Ubiquiti support and I will update this article when more information arrives.
No comments:
Post a Comment