Add CramMD5 auth

[dirkx]

Add CramMD5 auth for platforms that have enough crypto to support this (currently that is, I think, just the ESP32).

This is increasingly needed/easy if you want to post through various MTA-as-a-Service parties.

[xreef]

Hi dirkx, thanks a lot for the pull request. I try to generate a int base64_decode(char output, char input, int inputLen) for not import the mbedtls. Thanks RM

[dirkx]

Hmm - with regard to that base64 (and in the unlikely case that you are not linking in mbedtls as you are forst to use TLS for the connection) -- perhaps replace it by

https://github.com/espressif/esp-idf/blob/master/components/wpa_supplicant/src/utils/base64.c

These ? As you will probably need to link that - as your ESP chip needs a network. Alternative would be be to add some base64 decode routines; so it works on the other platforms - but that may hit crypto issues (again causing it to need mbedtls) ?

Dw

[xreef]

Now I'm adding the mbedtls, but I think that base64 encode decode can't create a cryptography problem, but in the future I must think about TLS integration. Thanks again Renzo

[dirkx]

Well - cram-md5/digest-md5 help you a lot here (the password is no longer in the clear) - and that mullifies most of the MTA's in allowing non-TLS/SSL.

I have a version here of your code that does TLS; could see how I can clean that up. The issue with these is always the chain of trust - one does not want to hardcode encode all the worlds Certificate Authorities :)

I'll see if I can think of some sort of TOFU.

[xreef]

Ahh!! Perfect. If you can do that, I will try to help you. I can create a branch to work without any problem. Bye Renzo

[xreef]

Hi Dirkx, Have you had time to check your code for TLS? If you have something, even partial, and you send it to me, I'll try to give it a fix as well.

Thanks, Renzo

[dirkx]

On 9 Jan 2024, at 08:22, Renzo Mischianti @.***> wrote:

Have you had time to check your code for TLS? If you have something, even partial, and you send it to me, I'll try to give it a fix as well.

Not had the time - will see what I can do. Apologies !

[xreef]

Don't worry, I understand, I fight with time every day. It's only a ping "to remember" ;).

[dirkx]

Minor setback - found that in order to do this cleanly/properly - I need something like

https://github.com/espressif/arduino-esp32/pull/9100

to be made part of WiFIClientSecure (or a copy of essentially same as a private WiFiClietnSecure class in EmailSender.

[xreef]

Thanks, I'm going to check It.

[dirkx]

On 18 Jan 2024, at 12:50, Renzo Mischianti @.***> wrote:

Thanks, I'm going to check It

That needs their latest 'dev' version. I've also backported this to the current ArduinoIDE - so will make a branch with that and my simplified code to give you an idea.

[dirkx]

And this example https://github.com/espressif/arduino-esp32/blob/c8e01dc12b5fb43be6101fc63a69e55d900c4149/libraries/WiFiClientSecure/examples/WiFIClientSecureProtocolUpgradeSTARTTLS/WiFIClientSecureProtocolUpgradeSTARTTLS.ino has the guts in it.

Dw

[dirkx]

Early cleanup/attempt at https://github.com/dirkx/EMailSender/tree/feat_support_starttls

Have to add some API's for SSL trust management still (Root CA's and a fingerprint for TOFU and simple cases).

Main change - I had to remove the HELO/CONNECT count mechanism - and replace it by a detection for the '-' vs. 'space' in the SMTP command response that signals (no) multi line continuation. Is that workable / or does that break things I do not understand ?

[dirkx]

Example output below

16:24:27.462 -> Connection: ESTABLISHED 16:24:27.462 -> Got IP address: 1.2.3.4 16:24:27.462 -> ONLY ONE RECIPIENT 16:24:27.496 -> miltiple destination and attachments 16:24:27.496 -> Setting PLAINtext start 16:24:27.496 -> MTA. : 4.3.2.1 port: 2525 16:24:27.496 -> SSL : off 16:24:27.496 -> Try SSL : yes 16:24:27.496 -> [ 1920][D][WiFiClientSecure.cpp:148] connect(): Connecting to 4.3.2.1:2525 16:24:27.496 -> [ 1922][V][ssl_client.cpp:60] start_ssl_client(): Free internal heap before TLS 143532 16:24:27.496 -> [ 1930][V][ssl_client.cpp:66] start_ssl_client(): Starting socket 16:24:27.529 -> [ 1975][V][ssl_client.cpp:144] start_ssl_client(): Seeding the random number generator 16:24:27.562 -> [ 1977][V][ssl_client.cpp:153] start_ssl_client(): Setting up the SSL/TLS structure... 16:24:27.562 -> [ 1981][D][ssl_client.cpp:174] start_ssl_client(): WARNING: Skipping SSL Verification. INSECURE! 16:24:27.562 -> [ 1988][V][ssl_client.cpp:263] start_ssl_client(): Setting hostname for TLS session... 16:24:27.562 -> [ 1996][I][WiFiClientSecure.cpp:154] connect(): Actual TLS start posponed. 16:24:27.696 -> 220 imap.somerandom.org ESMTP Sendmail 8.17.1/8.17.1/somerandom on the ready at Fri, 19 Jan 2024 15:24:27 GMT 16:24:27.696 -> EHLO mischianti 16:24:27.797 -> 250-imap.somerandom.org Hello XXXX [1.2.3.4], pleased to meet you 16:24:27.797 -> 250-ENHANCEDSTATUSCODES 16:24:27.797 -> 250-PIPELINING 16:24:27.833 -> 250-8BITMIME 16:24:27.833 -> 250-SIZE 16:24:27.833 -> 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN 16:24:27.833 -> 250-STARTTLS 16:24:27.867 -> 250-DELIVERBY 16:24:27.867 -> 250 HELP 16:24:27.867 -> [ 2294][D][EMailSender.cpp:572] send(): Start upgrade to TLS 16:24:27.901 -> 220 2.0.0 Ready to start TLS 16:24:27.901 -> Switched to TLS/SSL 16:24:27.901 -> [ 2344][I][WiFiClientSecure.cpp:173] startTLS(): startTLS: starting TLS/SSL on this plain connection 16:24:27.935 -> [ 2346][V][ssl_client.cpp:285] ssl_starttls_handshake(): Performing the SSL/TLS handshake... 16:24:29.349 -> [ 3792][V][ssl_client.cpp:306] ssl_starttls_handshake(): Verifying peer X.509 certificate... 16:24:29.349 -> [ 3792][V][ssl_client.cpp:314] ssl_starttls_handshake(): Certificate verified. 16:24:29.383 -> [ 3796][V][ssl_client.cpp:330] ssl_starttls_handshake(): Free internal heap after TLS 100204 16:24:29.383 -> Switched to TLS/SSL - conection now encrypted. 16:24:29.383 -> EHLO mischianti 16:24:29.416 -> 250-imap.somerandom.org Hello XXXX [1.2.3.4], pleased to meet you 16:24:29.416 -> 250-ENHANCEDSTATUSCODES 16:24:29.416 -> 250-PIPELINING 16:24:29.416 -> 250-8BITMIME 16:24:29.416 -> 250-SIZE 16:24:29.416 -> 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN 16:24:29.416 -> 250-DELIVERBY 16:24:29.416 -> 250 HELP 16:24:29.416 -> AUTH CRAM-MD5 16:24:29.449 -> 334 PDQ2MjMyNjAzNC4xMTE3OTE1NEBpbWFwLnBoeXNpY2Fsc2VjdXJlLm9yZz4= 16:24:29.483 -> d2F0ZXJwdXQgN2RkNzFjZGNhODg4M2VmYTdhMjUzMzAwMzdhNzI3MTM= 16:24:29.516 -> 235 2.0.0 OK Authenticated 16:24:29.516 -> MAIL FROM: @.> 16:24:30.474 -> 250 2.1.0 @.>... Sender ok 16:24:30.474 -> RCPT TO: @.> 16:24:30.541 -> 250 2.1.5 @.>... Recipient ok 16:24:30.541 -> DATA: 16:24:30.574 -> 354 Enter mail, end with "." on a line by itself 16:24:30.643 -> Message end 16:24:30.844 -> 250 2.0.0 40JFOR3x077898 Message accepted for delivery 16:24:30.879 -> 221 2.0.0 imap.somerandom.org closing connection 16:24:30.879 -> [ 5298][V][ssl_client.cpp:337] stop_ssl_socket(): Cleaning SSL connection. 16:24:30.879 -> Sending status: 16:24:30.879 -> Status:1 16:24:30.879 -> Code: 0 16:24:30.879 -> Desc: Message sent!

[dirkx]

Good news - the required SSL split has gone into the master of IDF/Arduino — so that greatly reduces the code needed.

Begin forwarded message:

Subject: Re: [espressif/arduino-esp32] Support for STARTLS/STARTSSL in-band transport upgrades/renegotation (PR #9100) Date: 9 February 2024 at 20:40:44 CET To: espressif/arduino-esp32 @.> Reply-To: espressif/arduino-esp32 @.>

Merged #9100 https://github.com/espressif/arduino-esp32/pull/9100 into master.

— Reply to this email directly, view it on GitHub https://github.com/espressif/arduino-esp32/pull/9100#event-11761817730, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAC73B64DTL7ZLFR232RE43YSZ3TZAVCNFSM6AAAAABB2EVO6KVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJRG43DCOBRG43TGMA. You are receiving this because you were mentioned.

[xreef]

Ahh! Good, I'm going to check the progress to understand what needs to be completed. Bye Renzo

[dirkx]

On 10 Feb 2024, at 17:59, Renzo Mischianti @.***> wrote:

Ahh! Good, I'm going to check the progress to understand what needs to be completed.

I’ve got an updated version of the current code ready that uses this. But basically the code I pushed earlier is for this.

Dw.