Programatically Replicating TB sending encrypted email

User Help for Mozilla Thunderbird
Post Reply
Tultalk
Posts: 3
Joined: September 6th, 2010, 6:38 pm

Programatically Replicating TB sending encrypted email

Post by Tultalk »

Hi:

Have program module I am working on to send encrypted emails from website to office.

TB log shows typical exchange:

2018-04-21 19:24:55.477000 UTC - 7888[912140]: SMTP Connecting to: cp15.lowesthosting.com
2018-04-21 19:24:56.491000 UTC - 7888[912140]: SMTP Response: 220-cp15m2.lowesthosting.com ESMTP Exim 4.89_1 #1 Sat, 21 Apr 2018 14:24:58 -0500
2018-04-21 19:24:56.491000 UTC - 7888[912140]: SMTP Response: 220-We do not authorize the use of this system to transport unsolicited,
2018-04-21 19:24:56.491000 UTC - 7888[912140]: SMTP Response: 220 and/or bulk e-mail.
2018-04-21 19:24:56.491000 UTC - 7888[912140]: SMTP Send: EHLO [127.0.0.1]
2018-04-21 19:24:57.443000 UTC - 7888[912140]: SMTP Response: 250-cp15m2.lowesthosting.com Hello [192.168.1.143] [72.168.129.57]
2018-04-21 19:24:57.443000 UTC - 7888[912140]: SMTP Response: 250-SIZE 52428800
2018-04-21 19:24:57.443000 UTC - 7888[912140]: SMTP Response: 250-8BITMIME
2018-04-21 19:24:57.443000 UTC - 7888[912140]: SMTP Response: 250-PIPELINING
2018-04-21 19:24:57.443000 UTC - 7888[912140]: SMTP Response: 250-AUTH PLAIN LOGIN
2018-04-21 19:24:57.443000 UTC - 7888[912140]: SMTP Response: 250-STARTTLS
2018-04-21 19:24:57.443000 UTC - 7888[912140]: SMTP Response: 250 HELP
2018-04-21 19:24:57.443000 UTC - 7888[912140]: SMTP Send: STARTTLS
2018-04-21 19:24:58.550000 UTC - 7888[912140]: SMTP Response: 220 TLS go ahead
2018-04-21 19:24:58.550000 UTC - 7888[912140]: SMTP Send: EHLO [127.0.0.1]
2018-04-21 19:25:02.325000 UTC - 7888[912140]: SMTP Response: 250-cp15m2.lowesthosting.com Hello [192.168.1.143] [72.168.129.57]
2018-04-21 19:25:02.325000 UTC - 7888[912140]: SMTP Response: 250-SIZE 52428800
2018-04-21 19:25:02.325000 UTC - 7888[912140]: SMTP Response: 250-8BITMIME
2018-04-21 19:25:02.325000 UTC - 7888[912140]: SMTP Response: 250-PIPELINING
2018-04-21 19:25:02.325000 UTC - 7888[912140]: SMTP Response: 250-AUTH PLAIN LOGIN
2018-04-21 19:25:02.325000 UTC - 7888[912140]: SMTP Response: 250 HELP
2018-04-21 19:25:02.325000 UTC - 7888[912140]: SMTP auth: server caps 0x20330, pref 0x300, failed 0x0, avail caps 0x300
2018-04-21 19:25:02.325000 UTC - 7888[912140]: (GSSAPI = 0x800, CRAM = 0x2000, NTLM = 0x4000, MSN = 0x8000, PLAIN = 0x200, LOGIN = 0x100, EXTERNAL = 0x400)
2018-04-21 19:25:02.325000 UTC - 7888[912140]: trying auth method 0x200
2018-04-21 19:25:02.325000 UTC - 7888[912140]: SMTP AuthLoginStep1() for webmaster@bwmjcm.us@cp15.lowesthosting.com
2018-04-21 19:25:02.357000 UTC - 7888[912140]: PLAIN auth
2018-04-21 19:25:02.357000 UTC - 7888[912140]: Logging suppressed for this command (it probably contained authentication information)
2018-04-21 19:25:03.230000 UTC - 7888[912140]: SMTP Response: 235 Authentication succeeded
2018-04-21 19:25:03.230000 UTC - 7888[912140]: SMTP Login response, code 235
2018-04-21 19:25:03.230000 UTC - 7888[912140]: SMTP Send: MAIL FROM:<webmaster@bwmjcm.us> BODY=8BITMIME SIZE=39232
2018-04-21 19:25:04.073000 UTC - 7888[912140]: SMTP Response: 250 OK
2018-04-21 19:25:04.073000 UTC - 7888[912140]: SMTP Send: RCPT TO:<webpass@bwmjcm.us>
2018-04-21 19:25:05.430000 UTC - 7888[912140]: SMTP Response: 250 Accepted
2018-04-21 19:25:05.430000 UTC - 7888[912140]: SMTP Send: DATA
2018-04-21 19:25:06.194000 UTC - 7888[912140]: SMTP Response: 354 Enter message, ending with "." on a line by itself
2018-04-21 19:25:06.210000 UTC - 7888[912140]: SMTP Send: .
2018-04-21 19:25:08.846000 UTC - 7888[912140]: SMTP Response: 250 OK id=1f9y8B-0001RV-Rl
2018-04-21 19:25:08.846000 UTC - 7888[912140]: SMTP Send: QUIT
2018-04-21 19:25:09.907000 UTC - 7888[912140]: SMTP Response: 221 cp15m2.lowesthosting.com closing connection
2018-04-21 19:25:10.188000 UTC - 7888[912140]: SMTP connection error quitting 804b0002, ignoring


My exchange where I do the STARTTLS after login


- trying 127.0.0.1
- connected to 127.0.0.1

<220-cp15m2.lowesthosting.com ESMTP Exim 4.89_1 #1 Sat, 21 Apr 2018 17:11:19 -0500

<220-We do not authorize the use of this system to transport unsolicited,

<220 and/or bulk e-mail.

>EHLO 127.0.0.1

<250-cp15m2.lowesthosting.com Hello 127.0.0.1 [127.0.0.1]

<250-SIZE 52428800

<250-8BITMIME

<250-PIPELINING

<250-AUTH PLAIN LOGIN

<250-CHUNKING

<250-STARTTLS

<250 HELP

AUTH requested

Trying AUTH PLAIN

>AUTH PLAIN d2VibWFzdGVyQGJ3bWpjbS51cwB3ZWJtYXN0ZXJAYndtamNtLnVzAHdtQDQwOTEzV00=

<235 Authentication succeeded

>MAIL FROM:<webmaster@bwmjcm.us>

<250 OK

>RCPT TO:<webpass@bwmjcm.us>

<250 Accepted

>RCPT TO:<tultalk@hughes.net>

<250 Accepted

>STARTTLS

<220 TLS go ahead

>DATA
<421 cp15m2.lowesthosting.com: SMTP command timeout - closing connection
Server said: 421 cp15m2.lowesthosting.com: SMTP command timeout - closing connection

If I send the STARTTLS just after the ehlo response from server and before authentication, it crashes saying authentication failed.

If I don't send STARTTLS it send email as expected.


Is the "suppressed" logon (2018-04-21 19:25:02.357000 UTC - 7888[912140]: Logging suppressed for this command (it probably contained authentication information)) a base 64 plain login??

elsif ($method eq "PLAIN") {
warn "Trying AUTH PLAIN\n" if ($mailcfg{debug} > 9);
socket_write(
"AUTH PLAIN "
. encode_base64(join("\0", $auth->{user}, $auth->{user}, $auth->{password}), $CRLF)
) || return fail("send AUTH PLAIN failed (lost connection?)");
socket_read()
|| return fail("AUTH PLAIN failed: $server_reply");
}

Also what is this in the TB exchange?

2018-04-21 19:25:02.325000 UTC - 7888[912140]: SMTP auth: server caps 0x20330, pref 0x300, failed 0x0, avail caps 0x300

2018-04-21 19:25:02.325000 UTC - 7888[912140]: (GSSAPI = 0x800, CRAM = 0x2000, NTLM = 0x4000, MSN = 0x8000, PLAIN = 0x200, LOGIN = 0x100, EXTERNAL = 0x400)

2018-04-21 19:25:02.325000 UTC - 7888[912140]: trying auth method 0x200

2018-04-21 19:25:02.325000 UTC - 7888[912140]: SMTP AuthLoginStep1() for webmaster@bwmjcm.us@cp15.lowesthosting.com
User avatar
DanRaisch
Moderator
Posts: 127188
Joined: September 23rd, 2004, 8:57 pm
Location: Somewhere on the right coast

Re: Programatically Replicating TB sending encrypted email

Post by DanRaisch »

Moving to Thunderbird Support.
User avatar
tanstaafl
Moderator
Posts: 49647
Joined: July 30th, 2003, 5:06 pm

Re: Programatically Replicating TB sending encrypted email

Post by tanstaafl »

Some background information about your configuration would help. For example, 127.0.0.1 usually means you are connected to a local proxy. Yet it seems to be used to connect to a host provided by lowesthosting.com. Saying "Have program module I am working on to send encrypted emails from website to office" also seems to contradict the smtp log of TB sending a message (TB is not a website). By website do you really mean using TB to send a message using lowesthosting to send a message to your office?

Forget the log files for a moment and please try to elaborate on your configuration and what you are trying to do.

Is your program module using Thunderbird's command line interface, XPCOM or SimpleMAPI?

Have you considered using an existing smtp utility that could save a copy of sent mail in Thunderbird's profile rather than trying to automate using Thunderbird? See http://kb.mozillazine.org/Mail_Utilities#SMTP_utilities for some ideas. If the utility doesn't support saving a copy you could BCC the message to the senders address and have Thunderbird use a message filter to move the message to the sent folder.

http://blat.yahoogroups.narkive.com/non ... sent-items
Tultalk
Posts: 3
Joined: September 6th, 2010, 6:38 pm

Re: Programatically Replicating TB sending encrypted email

Post by Tultalk »

Hi: Thanks for reply.

The 127.0.0.1 is because my program is running on the host and TB is running on my coputer.

I have two TB client accounts I am using here. One called webpass@xyz.us is in office. Other webmaster@xyz.us
is as indicated the webamaster for website. When someone (registered user) changes their password through a website interface, I am sending email to webpass containing the new password. I want to encrypt that email message. The is sent with sendmail (old v .8) as adapted by me. Yes, there are many other ways to do this but this is the path I have chosen.

I looked at my client/server exchange sending message from webmaster to webpass using TB clients after having my code fail.
I sent the STARTTLS programmatically in the same sequence of command exchanges as TB does yet TB succeeds and my exchange
fails with the encrypted password posting. As you can see from the TB exchange, the logging hides the authentication exchange:
(2018-04-21 19:25:02.357000 UTC - 7888[912140]: Logging suppressed for this command (it probably contained authentication information)). I am using PLAIN/base64 so I assume that TB is doing the same in response to PLAIN even though I can't see what TB is sending. PLAIN is PLAIN and a single log concatenated string. I send AUTH PLAIN d2VibWFzdGVyQGJ3bWpjbS51cwB3ZWJtYXN0ZXJAYndtamNtLnVzAHdtQDQwOTEzV00=. I would like to see what is accepted from the TB command.

Also, I don't kow what this is appearing in the TB logging or whether it effects what I am doing:

2018-04-21 19:25:02.325000 UTC - 7888[912140]: SMTP auth: server caps 0x20330, pref 0x300, failed 0x0, avail caps 0x300
2018-04-21 19:25:02.325000 UTC - 7888[912140]: (GSSAPI = 0x800, CRAM = 0x2000, NTLM = 0x4000, MSN = 0x8000, PLAIN = 0x200, LOGIN = 0x100, EXTERNAL = 0x400)
2018-04-21 19:25:02.325000 UTC - 7888[912140]: trying auth method 0x200
2018-04-21 19:25:02.325000 UTC - 7888[912140]: SMTP AuthLoginStep1() for webmaster@bwmjcm.us@cp15.lowesthosting.com

Are these necessary commands sent by TB client to the server? The logging does not say SEND or RESPONSE
so I don't know what these are. If they are needed where would I find criteria for composing them?
I don't see such and exchange in any other examples.

Thanks for your support.
Tultalk
Posts: 3
Joined: September 6th, 2010, 6:38 pm

Re: Programatically Replicating TB sending encrypted email

Post by Tultalk »

Doing searches relevant turned up this:


https://www.independentagent.com/Resour ... LSFAQ.aspx

TLS creates an encryption tunnel between two e-mail servers that both have TLS active. When TLS is in place, users from both parties can send e-mail to each other without doing anything extra to encrypt the email or its attachments. Passwords are not required to open a given e-mail message or attachments. This greatly simplifies the process for protecting confidential information, because no extra steps are required by the sender or receiver.



From gmail: https://support.google.com/a/answer/2520500?hl=en

(Optional) Check the Require CA signed cert when delivering outbound to the above-specified TLS-enabled domains box.

If you check this box, the client SMTP server must present a valid CA signed certificate for messages that match the conditions in you set in steps 6 and 7. The cert requirement is enforced only for messages that match these conditions. For example, if you select Outbound - messages requiring Secure Transport via another setting in step 6, only outgoing messages sent through a smart host or alternate secure route will require a CA signed cert. Messages sent through any other route are delivered without requiring a CA signed cert.


This implies I don't need to encrypt message myself. Does this sound right? I can just enable TLS and no certs required?
User avatar
tanstaafl
Moderator
Posts: 49647
Joined: July 30th, 2003, 5:06 pm

Re: Programatically Replicating TB sending encrypted email

Post by tanstaafl »

Tultalk wrote:This implies I don't need to encrypt message myself. Does this sound right? I can just enable TLS and no certs required?
No.

1. The TLS encryption only applies while the message is in transit. The typical reason to encrypt a message that you are sending is to protect it after its been received. MITM attacks are also a possibility due to a bug (they keep finding new ones such as a protocol downgrade attack) or due to the client supporting so many CAs. The attacker only has to find one that has poor security practices. I looked through TB's list of CAs and it still has Start.com certificate from 2006 that is marked as valid. I thought that was supposed to have been removed by now per https://blog.mozilla.org/security/2017/ ... irefox-58/

https://news.netcraft.com/archives/2016 ... tacks.html
https://p16.praetorian.com/blog/man-in- ... ade-attack
https://www.acunetix.com/blog/articles/ ... inal-part/
https://security.stackexchange.com/ques ... our-server

2. "When TLS is in place, users from both parties can send e-mail to each other without doing anything extra to encrypt the email or its attachments." is misleading. It assumes that the same server on the same host is used for both receiving and sending.

3. TLS does require a certificate. I think you misunderstood https://support.google.com/a/answer/2520500?hl=en . "Gmail uses TLS by default, but when a secure connection isn't available (both sender and recipient need to use TLS to create a secure connection), Gmail will deliver messages over non-secure connections." means that if a certificate is not available Gmail will use a non-secure connection. In your case you never want that. One of the advantages of TLS over StartTLS as its implemented in Thunderbird is that if it its configured to make a TLS connection and it can't make a secure connection, the connection will fail, rather than silently downgrading to a insecure connection.
Post Reply