Closed dirkx closed 9 months ago
Hi dirkx, thanks a lot for the pull request. I try to generate a int base64_decode(char output, char input, int inputLen) for not import the mbedtls. Thanks RM
Hmm - with regard to that base64 (and in the unlikely case that you are not linking in mbedtls as you are forst to use TLS for the connection) -- perhaps replace it by
https://github.com/espressif/esp-idf/blob/master/components/wpa_supplicant/src/utils/base64.c
These ? As you will probably need to link that - as your ESP chip needs a network. Alternative would be be to add some base64 decode routines; so it works on the other platforms - but that may hit crypto issues (again causing it to need mbedtls) ?
Dw
Now I'm adding the mbedtls, but I think that base64 encode decode can't create a cryptography problem, but in the future I must think about TLS integration. Thanks again Renzo
Well - cram-md5/digest-md5 help you a lot here (the password is no longer in the clear) - and that mullifies most of the MTA's in allowing non-TLS/SSL.
I have a version here of your code that does TLS; could see how I can clean that up. The issue with these is always the chain of trust - one does not want to hardcode encode all the worlds Certificate Authorities :)
I'll see if I can think of some sort of TOFU.
Ahh!! Perfect. If you can do that, I will try to help you. I can create a branch to work without any problem. Bye Renzo
Hi Dirkx, Have you had time to check your code for TLS? If you have something, even partial, and you send it to me, I'll try to give it a fix as well.
Thanks, Renzo
On 9 Jan 2024, at 08:22, Renzo Mischianti @.***> wrote:
Have you had time to check your code for TLS? If you have something, even partial, and you send it to me, I'll try to give it a fix as well.
Not had the time - will see what I can do. Apologies !
Don't worry, I understand, I fight with time every day. It's only a ping "to remember" ;).
Minor setback - found that in order to do this cleanly/properly - I need something like
https://github.com/espressif/arduino-esp32/pull/9100
to be made part of WiFIClientSecure (or a copy of essentially same as a private WiFiClietnSecure class in EmailSender.
Thanks, I'm going to check It.
On 18 Jan 2024, at 12:50, Renzo Mischianti @.***> wrote:
Thanks, I'm going to check It
That needs their latest 'dev' version. I've also backported this to the current ArduinoIDE - so will make a branch with that and my simplified code to give you an idea.
Early cleanup/attempt at https://github.com/dirkx/EMailSender/tree/feat_support_starttls
Have to add some API's for SSL trust management still (Root CA's and a fingerprint for TOFU and simple cases).
Main change - I had to remove the HELO/CONNECT count mechanism - and replace it by a detection for the '-' vs. 'space' in the SMTP command response that signals (no) multi line continuation. Is that workable / or does that break things I do not understand ?
Example output below
16:24:27.462 -> Connection: ESTABLISHED 16:24:27.462 -> Got IP address: 1.2.3.4 16:24:27.462 -> ONLY ONE RECIPIENT 16:24:27.496 -> miltiple destination and attachments 16:24:27.496 -> Setting PLAINtext start 16:24:27.496 -> MTA. : 4.3.2.1 port: 2525 16:24:27.496 -> SSL : off 16:24:27.496 -> Try SSL : yes 16:24:27.496 -> [ 1920][D][WiFiClientSecure.cpp:148] connect(): Connecting to 4.3.2.1:2525 16:24:27.496 -> [ 1922][V][ssl_client.cpp:60] start_ssl_client(): Free internal heap before TLS 143532 16:24:27.496 -> [ 1930][V][ssl_client.cpp:66] start_ssl_client(): Starting socket 16:24:27.529 -> [ 1975][V][ssl_client.cpp:144] start_ssl_client(): Seeding the random number generator 16:24:27.562 -> [ 1977][V][ssl_client.cpp:153] start_ssl_client(): Setting up the SSL/TLS structure... 16:24:27.562 -> [ 1981][D][ssl_client.cpp:174] start_ssl_client(): WARNING: Skipping SSL Verification. INSECURE! 16:24:27.562 -> [ 1988][V][ssl_client.cpp:263] start_ssl_client(): Setting hostname for TLS session... 16:24:27.562 -> [ 1996][I][WiFiClientSecure.cpp:154] connect(): Actual TLS start posponed. 16:24:27.696 -> 220 imap.somerandom.org ESMTP Sendmail 8.17.1/8.17.1/somerandom on the ready at Fri, 19 Jan 2024 15:24:27 GMT 16:24:27.696 -> EHLO mischianti 16:24:27.797 -> 250-imap.somerandom.org Hello XXXX [1.2.3.4], pleased to meet you 16:24:27.797 -> 250-ENHANCEDSTATUSCODES 16:24:27.797 -> 250-PIPELINING 16:24:27.833 -> 250-8BITMIME 16:24:27.833 -> 250-SIZE 16:24:27.833 -> 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN 16:24:27.833 -> 250-STARTTLS 16:24:27.867 -> 250-DELIVERBY 16:24:27.867 -> 250 HELP 16:24:27.867 -> [ 2294][D][EMailSender.cpp:572] send(): Start upgrade to TLS 16:24:27.901 -> 220 2.0.0 Ready to start TLS 16:24:27.901 -> Switched to TLS/SSL 16:24:27.901 -> [ 2344][I][WiFiClientSecure.cpp:173] startTLS(): startTLS: starting TLS/SSL on this plain connection 16:24:27.935 -> [ 2346][V][ssl_client.cpp:285] ssl_starttls_handshake(): Performing the SSL/TLS handshake... 16:24:29.349 -> [ 3792][V][ssl_client.cpp:306] ssl_starttls_handshake(): Verifying peer X.509 certificate... 16:24:29.349 -> [ 3792][V][ssl_client.cpp:314] ssl_starttls_handshake(): Certificate verified. 16:24:29.383 -> [ 3796][V][ssl_client.cpp:330] ssl_starttls_handshake(): Free internal heap after TLS 100204 16:24:29.383 -> Switched to TLS/SSL - conection now encrypted. 16:24:29.383 -> EHLO mischianti 16:24:29.416 -> 250-imap.somerandom.org Hello XXXX [1.2.3.4], pleased to meet you 16:24:29.416 -> 250-ENHANCEDSTATUSCODES 16:24:29.416 -> 250-PIPELINING 16:24:29.416 -> 250-8BITMIME 16:24:29.416 -> 250-SIZE 16:24:29.416 -> 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN 16:24:29.416 -> 250-DELIVERBY 16:24:29.416 -> 250 HELP 16:24:29.416 -> AUTH CRAM-MD5 16:24:29.449 -> 334 PDQ2MjMyNjAzNC4xMTE3OTE1NEBpbWFwLnBoeXNpY2Fsc2VjdXJlLm9yZz4= 16:24:29.483 -> d2F0ZXJwdXQgN2RkNzFjZGNhODg4M2VmYTdhMjUzMzAwMzdhNzI3MTM= 16:24:29.516 -> 235 2.0.0 OK Authenticated 16:24:29.516 -> MAIL FROM: @.> 16:24:30.474 -> 250 2.1.0 @.>... Sender ok 16:24:30.474 -> RCPT TO: @.> 16:24:30.541 -> 250 2.1.5 @.>... Recipient ok 16:24:30.541 -> DATA: 16:24:30.574 -> 354 Enter mail, end with "." on a line by itself 16:24:30.643 -> Message end 16:24:30.844 -> 250 2.0.0 40JFOR3x077898 Message accepted for delivery 16:24:30.879 -> 221 2.0.0 imap.somerandom.org closing connection 16:24:30.879 -> [ 5298][V][ssl_client.cpp:337] stop_ssl_socket(): Cleaning SSL connection. 16:24:30.879 -> Sending status: 16:24:30.879 -> Status:1 16:24:30.879 -> Code: 0 16:24:30.879 -> Desc: Message sent!
Good news - the required SSL split has gone into the master of IDF/Arduino — so that greatly reduces the code needed.
Begin forwarded message:
Subject: Re: [espressif/arduino-esp32] Support for STARTLS/STARTSSL in-band transport upgrades/renegotation (PR #9100) Date: 9 February 2024 at 20:40:44 CET To: espressif/arduino-esp32 @.> Reply-To: espressif/arduino-esp32 @.>
Merged #9100 https://github.com/espressif/arduino-esp32/pull/9100 into master.
— Reply to this email directly, view it on GitHub https://github.com/espressif/arduino-esp32/pull/9100#event-11761817730, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAC73B64DTL7ZLFR232RE43YSZ3TZAVCNFSM6AAAAABB2EVO6KVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJRG43DCOBRG43TGMA. You are receiving this because you were mentioned.
Ahh! Good, I'm going to check the progress to understand what needs to be completed. Bye Renzo
On 10 Feb 2024, at 17:59, Renzo Mischianti @.***> wrote:
Ahh! Good, I'm going to check the progress to understand what needs to be completed.
I’ve got an updated version of the current code ready that uses this. But basically the code I pushed earlier is for this.
Dw.
Add CramMD5 auth for platforms that have enough crypto to support this (currently that is, I think, just the ESP32).
This is increasingly needed/easy if you want to post through various MTA-as-a-Service parties.