• September 20, 2019, 03:21:28 PM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: Email / TLS and Network Storage  (Read 321 times)

PoBe

  • Level 1 Member
  • *
  • Posts: 6
Email / TLS and Network Storage
« on: August 27, 2019, 11:50:32 PM »

I just got a DCS 2670L camera. When configuring / testing the "Event Setup"  I tried to setup email  notification using TLS over port 587. I have a number of other DCS  cameras configured using email over TLS/587 without problem. But for the 2670L I could not get it going. It looks like the initial authorization failed.
2019-08-28 07:59:22 xxxxxxxxxxxx sendmail[30683]: STARTTLS=server, relay=[192.168.42.204], version=TLSv1, verify=NOT, cipher=ECDHE-RSA-AES256-SHA, bits=256/25
2019-08-28 07:59:22 xxxxxxxxxxxx sendmail[30683]: x7S5xGVg030683: [192.168.42.204] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
I have used the same mailserver and account for other cameras without any problem.  Using plain port 25 without TLS was a workaround for me.  With the camera and mailserver on the same closed network I believe it's  acceptable

I discovered that the "Network storage" server alternative has been remove. This alternative has been around for many of the cameras for a long time. This was a bit of disappointment. The FTP alternative was alternative  for me (but not the preferred one). 
I'm are running the latest firmware  2.01.10


Are you aware of any issues using mail tls/587 notification?
Why was the Network Storage server option removed?

Is D-Link long term direction to remove the the WEB UI for their cameras?


IF so I can understand the rationality but IMHO the mylink has a long, long way to go before I  would find it appealing and functionally worthy and overall worthy.
« Last Edit: August 27, 2019, 11:57:52 PM by PoBe »
Logged

PASGILI

  • Level 1 Member
  • *
  • Posts: 3
Re: Email / TLS and Network Storage
« Reply #1 on: August 28, 2019, 04:21:27 AM »

Hello, I have the same firmware and I use TLS on port 587 to send emails. I have no problems, it works very well.
For network storage I was also surprised and I do in ftp.
Sincerely
Pascal
Logged

PoBe

  • Level 1 Member
  • *
  • Posts: 6
Re: Email / TLS and Network Storage
« Reply #2 on: August 28, 2019, 11:03:41 AM »

I'm glad that someone have it working. It gives me hope I will give it a more in depth try. I have six 2132L cameras using mail notification and the same mail server and account without  any issues. I was quite convinced I had the new 2670L setup in the same way. Maybe I have not  :o

Btw what mail server  and version of the server  are you using?
What openssl version are you using?

I'm on  sendmail 8.15.2 and openssl 1.1.1b

best regards,
PoBe
Logged

PoBe

  • Level 1 Member
  • *
  • Posts: 6
Re: Email / TLS and Network Storage
« Reply #3 on: August 29, 2019, 11:47:26 AM »

Hmm still unsuccessful to get it working.  The difference between the camera working and the one not working is:

Working camera
  • Remote and comes in via a router
  • Use cipher DHE-RSA-AES256-SHA

Non Working Camera
  • Is a node on the local LAN (and is relayed via the router on the LAN
  • Using cipher ECDHE_RSA_AES256-SHA

Both ciphers appers for TLSv1 when listing the ciphers in openSSL. In sendmail I have not specified any ciphers so I assume that it will use what openSSL has.

Looking at more verbose senmail logs. It looks like the failing camera does not even got to the authorization phase. The last logging is

2019-08-29 19:27:54 xxxxxxxxxx sendmail[2923]: STARTTLS=server, cert-subject=, cert-issuer=, verifymsg=ok
2019-08-29 19:27:54 xxxxxxxxxx sendmail[2923]: AUTH: available mech=GSS-SPNEGO GSSAPI LOGIN PLAIN, allowed mech=EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
2019-08-29 19:27:54 xxxxxxxxxx sendmail[2923]: STARTTLS=read, info: fds=7/4, err=2
2019-08-29 19:27:54 xxxxxxxxxx sendmail[2923]: x7THRl8S002923: <-- QUIT


The verbose sendmail logs for a failing connection and a successfull connection are found via the URL below.
https://www.dropbox.com/sh/9wf8cmk7jyoqjvc/AAB8jmSU3UYPa-P5JcDi5i7ca?dl=0
Logged

PASGILI

  • Level 1 Member
  • *
  • Posts: 3
Re: Email / TLS and Network Storage
« Reply #4 on: August 30, 2019, 01:34:05 AM »

 Hello, unfortunately I don't have the same computer knowledge as you do.
What I meant, in the hope that it will help you is my configuration of the mail event.
Sender's e-mail address xxxx@gmx.fr
Recipient's email address xxxx@gmail.com
Address of the mail server.gmx.com
User name xxxx@gmx.fr
Password 같같같같같같같같같
Port 587
checked "This server requires a secure connection (StartTLS)"
Sincerely
Logged

PoBe

  • Level 1 Member
  • *
  • Posts: 6
Re: Email / TLS and Network Storage
« Reply #5 on: August 30, 2019, 03:42:07 AM »

Thanks, for me it looks like the camera terminates/quit the TLS session before the authentication. Everything looks ok in the mail server log. Unfortunately the logging in the camera is very sparse so it's not possible to tell why the camera quit the session.

Below you will see the fail interaction

2019-08-30 08:08:08 xxxxxxxxx sendmail[18794]: STARTTLS=server, relay=[192.168.42.204], version=TLSv1, verify=NOT, cipher=ECDHE-RSA-AES256-SHA, bits=256/256
2019-08-30 08:08:08 xxxxxxxxx sendmail[18794]: STARTTLS=server, cert-subject=, cert-issuer=, verifymsg=ok
2019-08-30 08:08:08 xxxxxxxxx sendmail[18794]: AUTH: available mech=GSS-SPNEGO GSSAPI LOGIN PLAIN, allowed mech=EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
2019-08-30 08:08:08 xxxxxxxxx sendmail[18794]: STARTTLS=read, info: fds=7/4, err=2
2019-08-30 08:08:08 xxxxxxxxx sendmail[18794]: x7U681bh018794: <-- QUIT
2019-08-30 08:08:08 xxxxxxxxx sendmail[18794]: x7U681bh018794: --- 221 2.0.0 xxxxxxxxx.com closing connection

 
This is how it looks from a camera that works

2019-08-29 19:36:01 xxxxxxxxxx sendmail[3431]: x7THZuRj003431: --- 220 2.0.0 Ready to start TLS
2019-08-29 19:36:04 xxxxxxxxxx sendmail[3431]: STARTTLS=server, get_verify: 0 get_peer: 0x0
2019-08-29 19:36:04 xxxxxxxxxx sendmail[3431]: STARTTLS=server, relay=nn-nnn-nnn-nn.foobar.frotz.net [nn.nnn.nnn.nn], version=TLSv1, verify=NOT, cipher=DHE-RSA-AES256-SHA, bits=256/256
2019-08-29 19:36:04 xxxxxxxxxx sendmail[3431]: STARTTLS=server, cert-subject=, cert-issuer=, verifymsg=ok
2019-08-29 19:36:04 xxxxxxxxxx sendmail[3431]: AUTH: available mech=GSS-SPNEGO GSSAPI LOGIN PLAIN, allowed mech=EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
2019-08-29 19:36:04 xxxxxxxxxx sendmail[3431]: STARTTLS=read, info: fds=7/4, err=2
2019-08-29 19:36:04 xxxxxxxxxx sendmail[3431]: x7THZuRj003431: <-- EHLO smtp.txt
2019-08-29 19:36:04 xxxxxxxxxx sendmail[3431]: x7THZuRk003431: milter=greylist, action=helo, continue

2019-08-29 19:36:04 xxxxxxxxxx sendmail[3431]: x7THZuRj003431: <-- EHLO smtp.txt


 
Logged

PoBe

  • Level 1 Member
  • *
  • Posts: 6
Re: Email / TLS and Network Storage
« Reply #6 on: August 30, 2019, 09:52:43 AM »

When running a TCP trace on the sessions that work and does not work I can see that the key exchange and TLS session is established in both cases. In the session that fails the client sends one application message and the mail server responds with one application message before the mail server send an Encrypt alerts.

From tracing an uncrypted session I can see that the first application message from the client is a "MAIL FROM:..." The server would then respond with a "250 2.1.0 <sender> ... Sender ok.

So when running the 2670L over port 25 unencrypted mail notification works.
When using port 587 and TLS is does not work.

Using testing with a 2230L against the same mailserver and and mailaccount port 587 and TLS works.

The only difference between the two cameras as I can see is that the 2670L uses the cipher ECDHE-RSA-AES256-SHA while the 2230L is using DHE-RSA-AES256-SHA.

But since the trace indicates that the establishment of the TLS session is ok i both cases I wounder if that has any relevans? However the mailserver respons to the Client Key Exchange message says "Change Cipher Spec" was the cipher then changed to something else? Have both the same capabilities to deal with any new cipher (if it was changed)?

Here is the summary trace for the working 2230L camera

No.     Time           Source                Destination           Protocol Length Info
     42 3.611963       192.168.42.201        192.168.42.11         TCP      74     2521 → 587 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=823973818 TSecr=0 WS=2
     43 3.611998       192.168.42.11         192.168.42.201        TCP      74     587 → 2521 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=2099072690 TSecr=823973818 WS=128
     44 3.614888       192.168.42.201        192.168.42.11         TCP      66     2521 → 587 [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSval=823973819 TSecr=2099072690
     81 8.627260       192.168.42.11         192.168.42.201        SMTP     147    S: 220 xxxxxxxx.com ESMTP Sendmail 8.15.2/8.15.2; Fri, 30 Aug 2019 17:22:41 +0200
     82 8.629172       192.168.42.201        192.168.42.11         TCP      66     2521 → 587 [ACK] Seq=1 Ack=82 Win=5840 Len=0 TSval=823974321 TSecr=2099077705
     83 8.630065       192.168.42.201        192.168.42.11         SMTP     81     C: EHLO smtp.txt
     84 8.630083       192.168.42.11         192.168.42.201        TCP      66     587 → 2521 [ACK] Seq=82 Ack=16 Win=65280 Len=0 TSval=2099077708 TSecr=823974321
     85 8.630426       192.168.42.11         192.168.42.201        SMTP     259    S: 250-xxxxxxxx.com Hello [192.168.42.201], pleased to meet you | 250-ENHANCEDSTATUSCODES | 250-PIPELINING | 250-8BITMIME | 250-
SIZE | 250-DSN | 250-AUTH GSSAPI | 250-STARTTLS | 250-DELIVERBY | 250 HELP
     86 8.633950       192.168.42.201        192.168.42.11         SMTP     76     C: STARTTLS
     87 8.633980       192.168.42.11         192.168.42.201        TCP      66     587 → 2521 [ACK] Seq=275 Ack=26 Win=65280 Len=0 TSval=2099077712 TSecr=823974321
     88 8.634146       192.168.42.11         192.168.42.201        SMTP     96     S: 220 2.0.0 Ready to start TLS
     89 8.648925       192.168.42.201        192.168.42.11         TLSv1    160    Client Hello
     90 8.648951       192.168.42.11         192.168.42.201        TCP      66     587 → 2521 [ACK] Seq=305 Ack=120 Win=65280 Len=0 TSval=2099077727 TSecr=823974323
     91 8.663513       192.168.42.11         192.168.42.201        TLSv1    1915   Server Hello, Certificate, Server Key Exchange, Server Hello Done
     92 8.668453       192.168.42.201        192.168.42.11         TCP      66     2521 → 587 [ACK] Seq=120 Ack=2154 Win=12704 Len=0 TSval=823974325 TSecr=2099077742
    104 11.032361      192.168.42.201        192.168.42.11         TLSv1    392    Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
    105 11.045152      192.168.42.11         192.168.42.201        TLSv1    300    New Session Ticket, Change Cipher Spec, Encrypted Handshake Message
    106 11.054332      192.168.42.201        192.168.42.11         TLSv1    156    Application Data, Application Data
    107 11.054876      192.168.42.11         192.168.42.201        TLSv1    295    Application Data
    108 11.064731      192.168.42.201        192.168.42.11         TLSv1    156    Application Data, Application Data
    109 11.064878      192.168.42.11         192.168.42.201        TLSv1    119    Application Data
    110 11.068627      192.168.42.201        192.168.42.11         TLSv1    156    Application Data, Application Data
    111 11.068758      192.168.42.11         192.168.42.201        TLSv1    119    Application Data
    112 11.072400      192.168.42.201        192.168.42.11         TLSv1    156    Application Data, Application Data

   



Here is the summary trace for the failing 2670L camera


     53 7.073430       192.168.42.204        192.168.42.11         TCP      74     48126 → 587 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=2304233 TSecr=0 WS=16
     54 7.073464       192.168.42.11         192.168.42.204        TCP      74     587 → 48126 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=2656197614 TSecr=2304233 WS=128
     55 7.074196       192.168.42.204        192.168.42.11         TCP      66     48126 → 587 [ACK] Seq=1 Ack=1 Win=14608 Len=0 TSval=2304233 TSecr=2656197614
    116 12.086100      192.168.42.11         192.168.42.204        SMTP     147    S: 220 xxxxxxxx.com ESMTP Sendmail 8.15.2/8.15.2; Fri, 30 Aug 2019 16:33:14 +0200
    117 12.086494      192.168.42.204        192.168.42.11         TCP      66     48126 → 587 [ACK] Seq=1 Ack=82 Win=14608 Len=0 TSval=2304735 TSecr=2656202627
    118 12.087191      192.168.42.204        192.168.42.11         SMTP     80     C: EHLO cam60CE
    119 12.087208      192.168.42.11         192.168.42.204        TCP      66     587 → 48126 [ACK] Seq=82 Ack=15 Win=65280 Len=0 TSval=2656202628 TSecr=2304735
    120 12.087456      192.168.42.11         192.168.42.204        SMTP     259    S: 250-xxxxxxxx.com Hello [192.168.42.204], pleased to meet you | 250-ENHANCEDSTATUSCODES | 250-PIPELINING | 250-8BITMIME | 250-
SIZE | 250-DSN | 250-AUTH GSSAPI | 250-STARTTLS | 250-DELIVERBY | 250 HELP
    121 12.125878      192.168.42.204        192.168.42.11         TCP      66     48126 → 587 [ACK] Seq=15 Ack=275 Win=15680 Len=0 TSval=2304739 TSecr=2656202628
    133 14.349266      192.168.42.204        192.168.42.11         SMTP     76     C: STARTTLS
    134 14.349296      192.168.42.11         192.168.42.204        TCP      66     587 → 48126 [ACK] Seq=275 Ack=25 Win=65280 Len=0 TSval=2656204890 TSecr=2304961
    135 14.349477      192.168.42.11         192.168.42.204        SMTP     96     S: 220 2.0.0 Ready to start TLS
    136 14.349831      192.168.42.204        192.168.42.11         TCP      66     48126 → 587 [ACK] Seq=25 Ack=305 Win=15680 Len=0 TSval=2304961 TSecr=2656204890
    137 14.352414      192.168.42.204        192.168.42.11         TLSv1    265    Client Hello
    138 14.352432      192.168.42.11         192.168.42.204        TCP      66     587 → 48126 [ACK] Seq=305 Ack=224 Win=65152 Len=0 TSval=2656204893 TSecr=2304961
    139 14.358705      192.168.42.11         192.168.42.204        TLSv1    1473   Server Hello, Certificate, Server Key Exchange, Server Hello Done
    140 14.395908      192.168.42.204        192.168.42.11         TCP      66     48126 → 587 [ACK] Seq=224 Ack=1712 Win=18576 Len=0 TSval=2304966 TSecr=2656204900
    143 14.642190      192.168.42.204        192.168.42.11         TLSv1    200    Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
    144 14.643057      192.168.42.11         192.168.42.204        TLSv1    300    New Session Ticket, Change Cipher Spec, Encrypted Handshake Message
    145 14.643728      192.168.42.204        192.168.42.11         TCP      66     48126 → 587 [ACK] Seq=358 Ack=1946 Win=21392 Len=0 TSval=2304990 TSecr=2656205184
    146 14.688089      192.168.42.204        192.168.42.11         TLSv1    140    Application Data, Application Data
    147 14.688269      192.168.42.11         192.168.42.204        TLSv1    151    Application Data
    148 14.688331      192.168.42.11         192.168.42.204        TLSv1    103    Encrypted Alert
    149 14.688885      192.168.42.204        192.168.42.11         TCP      66     48126 → 587 [ACK] Seq=432 Ack=2031 Win=21392 Len=0 TSval=2304995 TSecr=2656205229
    154 14.698373      192.168.42.204        192.168.42.11         TLSv1    103    Encrypted Alert
    155 14.698406      192.168.42.11         192.168.42.204        TCP      54     587 → 48126 [RST] Seq=2069 Win=0 Len=0

Logged