Notify using ssl/tls

Moderators: grovkillen, Stuntteam, TD-er

Post Reply
Message
Author
Wiki
Normal user
Posts: 413
Joined: 23 Apr 2018, 17:55
Location: Germany

Notify using ssl/tls

#1 Post by Wiki » 18 May 2020, 12:31

Is there any plan to use ssl/tls for smtp notifying?

Code: Select all

pi@raspberrypi:~ $ man woman
No manual entry for woman
pi@raspberrypi:~ $

TD-er
Core team member
Posts: 8643
Joined: 01 Sep 2017, 22:13
Location: the Netherlands
Contact:

Re: Notify using ssl/tls

#2 Post by TD-er » 18 May 2020, 22:27

For ESP32: Yes
For ESP82xx... Well I have to re-test how many resources (mainly memory) the current encryption layer takes.
We're quite low on free memory and SSL/TLS does take a lot of memory, or at least a little over a year ago it did.
A quick test then showed you needed at least 20k of free memory to use it and that's something we don't have on ESP8266.

Wiki
Normal user
Posts: 413
Joined: 23 Apr 2018, 17:55
Location: Germany

Re: Notify using ssl/tls

#3 Post by Wiki » 21 May 2020, 20:31

Ah, OK. Currently no problem for me at all as long as smtp2go still works.

Any roadmap for ESP32 using encryption?

Code: Select all

pi@raspberrypi:~ $ man woman
No manual entry for woman
pi@raspberrypi:~ $

TD-er
Core team member
Posts: 8643
Joined: 01 Sep 2017, 22:13
Location: the Netherlands
Contact:

Re: Notify using ssl/tls

#4 Post by TD-er » 22 May 2020, 12:51

Wiki wrote: 21 May 2020, 20:31 [...]
Any roadmap for ESP32 using encryption?
As you may have noticed, the number of ESP32-specific commits and fixes have increased the last few months, so I'm definitely working on getting the ESP32 on par with the ESP8266 regarding support/features/etc.
I can't put a date on it, but given the pull requests made by others for ESP32 also suggest there is an increased demand for ESP32 support.
So I guess the lack of SSL/TLS support on ESP32 will annoy someone else enough to create a PR for it quite soon :)

User avatar
ThomasB
Normal user
Posts: 1064
Joined: 17 Jun 2018, 20:41
Location: USA

Re: Notify using ssl/tls

#5 Post by ThomasB » 20 Sep 2021, 19:31

My email host now requires SMPT TLS. So all my ESP8266 devices can't send me any more love letters. If adding TLS is not practical then does anyone have a workaround?

- Thomas

User avatar
Ath
Normal user
Posts: 3416
Joined: 10 Jun 2018, 12:06
Location: NL

Re: Notify using ssl/tls

#6 Post by Ath » 20 Sep 2021, 20:20

If you have something light/simple as a Raspberry Pi, you could run a simple mail server there, that can forward to your external host. Can't offer much help here, as I'm not running anything like that myself.

If you have a stationary Windows system running, you could use hmailserver
/Ton (PayPal.me)

User avatar
ThomasB
Normal user
Posts: 1064
Joined: 17 Jun 2018, 20:41
Location: USA

Re: Notify using ssl/tls

#7 Post by ThomasB » 20 Sep 2021, 20:27

If you have something light/simple as a Raspberry Pi, you could run a simple mail server there, that can forward to your external host.
Brilliant. I have several RPI's running 24/7.

I did a quick online search and it looks like I have a lot of reading/digesting to do. If anyone has already done it then please share any tips.

@Ath, Thank you for pointing out this possible workaround.

- Thomas

TD-er
Core team member
Posts: 8643
Joined: 01 Sep 2017, 22:13
Location: the Netherlands
Contact:

Re: Notify using ssl/tls

#8 Post by TD-er » 20 Sep 2021, 20:50

Today I started working on TLS implementation for MQTT, so that's something that will be there soon. (at least for ESP32, it really takes a lot of RAM)
But maybe with core 3.0.0 where we can have an extra heap, then it might be workable on ESP8266.

User avatar
ThomasB
Normal user
Posts: 1064
Joined: 17 Jun 2018, 20:41
Location: USA

Re: Notify using ssl/tls

#9 Post by ThomasB » 20 Sep 2021, 21:12

But maybe with core 3.0.0 where we can have an extra heap, then it might be workable on ESP8266.
+1

- Thomas

TD-er
Core team member
Posts: 8643
Joined: 01 Sep 2017, 22:13
Location: the Netherlands
Contact:

Re: Notify using ssl/tls

#10 Post by TD-er » 20 Sep 2021, 23:27

ThomasB wrote: 20 Sep 2021, 21:12 [...]
+1

- Thomas
Strange formula... +1 -Thomas ;)

User avatar
ThomasB
Normal user
Posts: 1064
Joined: 17 Jun 2018, 20:41
Location: USA

Re: Notify using ssl/tls

#11 Post by ThomasB » 21 Sep 2021, 01:13

The mathematical equivalence of -Thomas cannot be calculated. Typically invokes a divide by zero error.

TD-er
Core team member
Posts: 8643
Joined: 01 Sep 2017, 22:13
Location: the Netherlands
Contact:

Re: Notify using ssl/tls

#12 Post by TD-er » 21 Sep 2021, 19:43

Or you are your positive self, the square of i?

User avatar
ThomasB
Normal user
Posts: 1064
Joined: 17 Jun 2018, 20:41
Location: USA

Re: Notify using ssl/tls

#13 Post by ThomasB » 02 Nov 2021, 16:24

ThomasB wrote: 20 Sep 2021, 19:31 My email host now requires SMPT TLS. So all my ESP8266 devices can't send me any more love letters. If adding TLS is not practical then does anyone have a workaround?
Just a follow up on how I solved this:

I tried adding a self-hosted email relay (using EMIX4) to a Raspberry Pi. Gave up, beyond my skills to implement.

So I tried SMTP2GO.com (free account). Spent hours on a spare ESPEasy device, ultimately won the battle. I got it to work after reflashing its ESP_Easy_mega_20201102_test_ESP8266_4M1M_VCC release to the 20201022 branch. Took what I learned and got the Notify function to work on all my devices.

But smtp2go does not work well if I send to more than one receiver (addresses separated by a semicolon). Usually no one gets the email, but randomly the first recipient gets it. From what I could see by the bounced email, the additional address gets prepended with an equal sign (=joe@someplace.com). I tried several ESPEasy releases and they all experienced this issue. So I've had to revert to using only one email recipient.
Edit: Solved it. The wiki says to separate multiple addresses by semicolon. But I looked at the source code and they must be separated by comma. I revised the wiki.

Long story short, my ESPEasy devices are sending emails again. Too bad STARTTLS / TLS (port 587) is not supported, would be nice to have it as a custom build option for the ESP8266. :)

- Thomas

TD-er
Core team member
Posts: 8643
Joined: 01 Sep 2017, 22:13
Location: the Netherlands
Contact:

Re: Notify using ssl/tls

#14 Post by TD-er » 02 Nov 2021, 20:38

As you may have seen, I am working on adding TLS to MQTT, just as a first step.
So far it is working on ESP32, as long as you don't try to validate the certificate.
Thus the data is encrypted, but you don't have a clue whether you're talking to the server you think you're talking to.
Ideal for the imfamous man-in-the-middle to perform an attack.

I tried the same code on ESP8266, but that's not only too much of a burden on the RAM, but also on the CPU cycles.
You really need to boost the CPU clock to 160 MHz and still take several seconds to make a connection.

I guess, as soon as I have the MQTT part working, then adding support for SendToHttpS and notify using TLS are the next steps, but that still leaves the ESP8266 a bit in the dark.
So I was thinking we should also be able to send a notification via the p2p layer where 1 ESP32 node in the network would be enough to forward the messages to any mail service.
That's the best one can hope for in the near future for the ESP8266 as it really is too much for that processor to handle TLS.

User avatar
ThomasB
Normal user
Posts: 1064
Joined: 17 Jun 2018, 20:41
Location: USA

Re: Notify using ssl/tls

#15 Post by ThomasB » 02 Nov 2021, 21:14

So I was thinking we should also be able to send a notification via the p2p layer where 1 ESP32 node in the network would be enough to forward the messages to any mail service.
+1. I wasn't a fan of signing up for the SMTP2go account. So I like your idea to use an ESP32 to be an SMTP relay for ESPEasy. That would eliminate the need for using an external service to do it.

Or maybe a brilliant user will publish clear step-by-step instructions on how to do it on a Raspberry Pi. Seems to me that many home automation users have one running 24/7 on their local network so it would be a useful platform to use.

- Thomas

starfish
Normal user
Posts: 38
Joined: 16 Feb 2017, 23:46

Re: Notify using ssl/tls

#16 Post by starfish » 17 Nov 2021, 07:22

As you may have seen, I am working on adding TLS to MQTT, just as a first step.
soon we have xmas - looks like a great xmas-gift :D
really looking forward ....

TomMa
New user
Posts: 6
Joined: 26 Jun 2020, 17:14

Re: Notify using ssl/tls

#17 Post by TomMa » 27 Nov 2021, 15:42

You can try emailrelay instead of exim4.
That is what I used some time ago (Could neither get it to work with exim4 ;)

I am running it on an orangepi with armbian, should be quite similar on a rpi.
Sourcecode: https://sourceforge.net/projects/emailr ... relay/2.2/
Wiki: http://emailrelay.sourceforge.net/index.html

You have to compile it yourself, no prebuild packages for arm available, but it is really easy.

Code: Select all

./configure.sh
make
sudo make install
The configurationfile /etc/emailrelay.conf is well documented, mine looks like this

Code: Select all

as-proxy ADDRESS_OF_YOUR_EXTERNAL_MAILSERVER:587
client-tls
client-auth /etc/emailrelay.auth
spool-dir /var/spool/emailrelay
and /etc/emailrelay.auth contains your user/pass of the mailserver you forward to.

Btw @TD

My notifications sent by Espeasy get marked as spam cause of missing date in the header.

Code: Select all

Content-Type: text/html; charset="UTF-8"
X-Mailer: EspEasy v20116
X-SPAM-LEVEL: Spam detection results:  1
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	BODY_SINGLE_WORD        0.001 Message body is only one word (no spaces)
	HTML_MESSAGE            0.001 HTML included in message
	HTML_MIME_NO_HTML_TAG   0.377 HTML-only message, but there is no HTML tag
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
	KAM_LAZY_DOMAIN_SECURITY      1 Sending domain does not have any anti-forgery methods
	MIME_HTML_ONLY            0.1 Message only has text/html MIME parts
	MISSING_DATE             1.36 Missing Date: header
	MISSING_MID             0.497 Missing Message-Id: header
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_NONE                0.001 SPF: sender does not publish an SPF Record
At least this is the reason for the highest score for spam detection.
Is this something that could be changed?

TD-er
Core team member
Posts: 8643
Joined: 01 Sep 2017, 22:13
Location: the Netherlands
Contact:

Re: Notify using ssl/tls

#18 Post by TD-er » 27 Nov 2021, 16:21

Hmm missing timestamp in the mail header is a good point.
Can you make an issue for it on GitHub?

User avatar
ThomasB
Normal user
Posts: 1064
Joined: 17 Jun 2018, 20:41
Location: USA

Re: Notify using ssl/tls

#19 Post by ThomasB » 27 Nov 2021, 19:24

@TomMa, Thanks for the emailrelay info. How is ESPEasy's Notify page setup to use emailrelay? Can you post a screenshot?

- Thomas

TomMa
New user
Posts: 6
Joined: 26 Jun 2020, 17:14

Re: Notify using ssl/tls

#20 Post by TomMa » 01 Dec 2021, 17:07

Setup is quite simple

Domain: does not really matter, i tried "locallan" as well
Server: IP Adress of my orangepi running emailrelay
Sender: my gmail mailaddress
Receiver: destination email address

Don't know, if this is the correct way, but the mails get delivered. ;)

If you use your gmailaccount as mailrelay, than you have to enable "less secure apps"
https://myaccount.google.com/lesssecureapps
Attachments
notification.jpg
notification.jpg (127.92 KiB) Viewed 9137 times

User avatar
ThomasB
Normal user
Posts: 1064
Joined: 17 Jun 2018, 20:41
Location: USA

Re: Notify using ssl/tls

#21 Post by ThomasB » 01 Dec 2021, 17:12

@TomMa, Thanks again for the tips on using emailrelay.

- Thomas

TomMa
New user
Posts: 6
Joined: 26 Jun 2020, 17:14

Re: Notify using ssl/tls

#22 Post by TomMa » 02 Dec 2021, 19:06

@ThomasB
Another info if you use gmail with emailrelay.
My account was switched to second-factor-authentication and now you have to generate an app-specific password that you use with emailrelay (or other third party apps)
https://support.google.com/accounts/answer/185833?hl=en

Post Reply

Who is online

Users browsing this forum: No registered users and 38 guests