[Email] Add SSL support for sending email

[TD-er]

To send via Gmail:

• Generate an 'app password'
• Domain: gmail.com
• Server: smtp.gmail.com
• Port: 465 (SSL)
• Sender: <Your email>
• User: <Your Gmail Address>
• Pass: The generated "app password"

From Google on SSL/TLS:

The outgoing SMTP server, smtp.gmail.com, supports TLS.
If your client begins with plain text, before issuing the STARTTLS command, use port 465 (for SSL), or port 587 (for TLS).

ToDo:

• TLS port 587 is not yet working, no idea yet why not.
• IPv6 tested
• Documentation

This feature is now included in all ESP32-xx 'custom' and 'MAX' builds.

[TD-er]

@thomastech @uzi18
Can you please test this?

See here for the GH Actions build

[thomastech]

OMG, SSL emails!

My email server uses port 587. Any idea when that will be working?

[TD-er]

My email server uses port 587. Any idea when that will be working?

Not yet, but I'm working on it.
Honestly I have no idea why it isn't working.

Have you tried it yourself?
GMail is refusing it, but that doesn't mean it will not work with others.

[TD-er]

Hmm it seems the TLS implementation I currently use either doesn't have the required ciphers included, or maybe it is TLS 1.1

The return code I get when connecting to Gmail is 3, which is BR_ERR_UNSUPPORTED_VERSION

So maybe it will work with your mailserver?

Anyway I will be looking into updating BearSSL library code.

[uzi18]

@TD-er do you have debug log?

[TD-er]

@TD-er do you have debug log?

23.245 : (289920) Debug  : Email: Connecting to smtp.gmail.com:587
23.246 : (289932) Info   : IP   : Set DNS: 192.168.10.1
23.247 : (289884) Info   : IP   : Set DNS: 0.0.0.0
23.268 : (289756) Debug  : connectClient: '2a00:1450:4025:401::6c' port: 587
23.301 : (285400) Error  : connectClient: connect failed to '2a00:1450:4025:401::6c' port: 587
23.305 : (289472) Error  : Email: Error connecting to smtp.gmail.com:587 Error code: 3

It seems like for using port 587 you may need to use a client certificate.
On "SSL" port 465 you don't and thus can use user/passwd.

Still no idea how to do this though....

[uzi18]

So it doesn't accept connection or no log from transaction?

[TD-er]

So it doesn't accept connection or no log from transaction?

Making the connection already fails.

When sending via port 465 you get something like this:

00:01:02.244 : (302692) Info   : static_file: /esp.css to: 192.168.10.169
00:01:02.248 : (302700) Debug  : HTML : Request file /esp.css
00:01:02.344 : (291360) Debug  : Email: Connecting to smtp.gmail.com:465
00:01:02.355 : (291256) Debug  : connectClient: '2a00:1450:4025:401::6d' port: 465
00:01:02.724 : (288980) Debug  : NPlugin_001_send: timeout: 10000
00:01:02.736 : (286560) Info   : Email: Initializing ...
00:01:02.737 : (286544) Info   : Email: Max Allowed Timeout is 10 secs
00:01:02.738 : (286528) Debug  : NPlugin_001_MTA:  Waitfor: 220 Timeout: 10000 ms Send: ''
00:01:02.764 : (288468) Debug  : Email: Sending EHLO domain
00:01:02.765 : (288420) Debug  : NPlugin_001_MTA:  Waitfor: 250 Timeout: 10000 ms Send: 'EHLO gmail.com'
00:01:02.822 : (288456) Debug  : Email: Sending User/Pass
00:01:02.823 : (288312) Debug  : NPlugin_001_MTA:  Waitfor: 334 Timeout: 10000 ms Send: 'AUTH LOGIN'
00:01:02.881 : (288232) Debug  : NPlugin_001_MTA:  Waitfor: 334 Timeout: 10000 ms Send: 'XXXXXXXXXXXXXXXXXX=='
00:01:02.919 : (288236) Debug  : NPlugin_001_MTA:  Waitfor: 235 Timeout: 10000 ms Send: 'XXXXXXXXXXXXXXXXXX=='
00:01:03.232 : (288380) Info   : Email: Credentials Accepted
00:01:03.232 : (288476) Debug  : Email: Sending email Addr
00:01:03.243 : (288348) Debug  : NPlugin_001_MTA:  Waitfor: 250 Timeout: 10000 ms Send: 'MAIL FROM:<Foo@gmail.com>'
00:01:03.269 : (288412) Info   : Email: Receiver(s): Foo@gmail.com
00:01:03.280 : (288364) Info   : Email: To Foo@gmail.com
00:01:03.281 : (288252) Debug  : NPlugin_001_MTA:  Waitfor: 250 Timeout: 10000 ms Send: 'RCPT TO:<Foo@gmail.com>'
00:01:03.333 : (288444) Debug  : NPlugin_001_MTA:  Waitfor: 354 Timeout: 10000 ms Send: 'DATA'
00:01:03.647 : (287812) Debug  : NPlugin_001_MTA:  Waitfor: 250 Timeout: 10000 ms Send: 'From: MAX ESP32-c6 8M_29 <Foo@gmail.com>
To: Foo@gmail.com
Subject: Test ESPEasy
Reply-To: MAX ESP32-c6 8M_29 <Foo@gmail.com>
Date: Sat, 05 Oct 2024 14:11:26 +0000
MIME-VERSION: 1.0
Content-type: text/html; charset=UTF-8
X-Mailer: EspEasy v20241005

bladiebla
.
'
00:01:04.673 : (288168) Error  : Timeout while reading input data! str: ``
00:01:04.684 : (287656) Debug  : NPlugin_001_MTA: read line: 
00:01:04.770 : (288440) Debug  : NPlugin_001_MTA:  Waitfor: 221 Timeout: 10000 ms Send: 'QUIT'
00:01:04.808 : (290408) Info   : Email: Connection Closed Successfully

[thomastech]

No luck with the 10/03 and 10/05 test builds. Just a lot of "Timeout while reading input data! str: " messages. Tried both 465 and 587.

In case you are interested, I noticed that the browser gets upset when the notification Test button is used. Immediately requires a page reload.

And you are sneaky. Timeout now in mS. As a UI setting, I think that seconds would be more natural to the general population. But this is your baby and so I won't complain anymore about using mS resolution for setting timeout seconds. :)

[TD-er]

What I did is just save it first and then try the test button.

Can you enable the debug log with the latest GH Actions test build?
Just to see where it fails.

See here for the interpretation of the error codes:

ESPEasy/lib/lib_ssl/tls_mini/src/WiFiClientSecureLightBearSSL.h

Lines 205 to 311 in 4845f91

	#define ERR_OOM -1000
	#define ERR_CANT_RESOLVE_IP -1001
	#define ERR_TCP_CONNECT -1002
	// #define ERR_MISSING_EC_KEY -1003 // deprecated, AWS IoT is not called if the private key is not present
	#define ERR_MISSING_CA -1004
	// For reference, BearSSL error codes:
	// #define BR_ERR_OK 0
	// #define BR_ERR_BAD_PARAM 1
	// #define BR_ERR_BAD_STATE 2
	// #define BR_ERR_UNSUPPORTED_VERSION 3
	// #define BR_ERR_BAD_VERSION 4
	// #define BR_ERR_BAD_LENGTH 5
	// #define BR_ERR_TOO_LARGE 6
	// #define BR_ERR_BAD_MAC 7
	// #define BR_ERR_NO_RANDOM 8
	// #define BR_ERR_UNKNOWN_TYPE 9
	// #define BR_ERR_UNEXPECTED 10
	// #define BR_ERR_BAD_CCS 12
	// #define BR_ERR_BAD_ALERT 13
	// #define BR_ERR_BAD_HANDSHAKE 14
	// #define BR_ERR_OVERSIZED_ID 15
	// #define BR_ERR_BAD_CIPHER_SUITE 16
	// #define BR_ERR_BAD_COMPRESSION 17
	// #define BR_ERR_BAD_FRAGLEN 18
	// #define BR_ERR_BAD_SECRENEG 19
	// #define BR_ERR_EXTRA_EXTENSION 20
	// #define BR_ERR_BAD_SNI 21
	// #define BR_ERR_BAD_HELLO_DONE 22
	// #define BR_ERR_LIMIT_EXCEEDED 23
	// #define BR_ERR_BAD_FINISHED 24
	// #define BR_ERR_RESUME_MISMATCH 25
	// #define BR_ERR_INVALID_ALGORITHM 26
	// #define BR_ERR_BAD_SIGNATURE 27
	// #define BR_ERR_WRONG_KEY_USAGE 28
	// #define BR_ERR_NO_CLIENT_AUTH 29
	// #define BR_ERR_IO 31
	// #define BR_ERR_RECV_FATAL_ALERT 256
	// #define BR_ERR_SEND_FATAL_ALERT 512
	// #define BR_ERR_X509_OK 32
	// #define BR_ERR_X509_INVALID_VALUE 33
	// #define BR_ERR_X509_TRUNCATED 34
	// #define BR_ERR_X509_EMPTY_CHAIN 35
	// #define BR_ERR_X509_INNER_TRUNC 36
	// #define BR_ERR_X509_BAD_TAG_CLASS 37
	// #define BR_ERR_X509_BAD_TAG_VALUE 38
	// #define BR_ERR_X509_INDEFINITE_LENGTH 39
	// #define BR_ERR_X509_EXTRA_ELEMENT 40
	// #define BR_ERR_X509_UNEXPECTED 41
	// #define BR_ERR_X509_NOT_CONSTRUCTED 42
	// #define BR_ERR_X509_NOT_PRIMITIVE 43
	// #define BR_ERR_X509_PARTIAL_BYTE 44
	// #define BR_ERR_X509_BAD_BOOLEAN 45
	// #define BR_ERR_X509_OVERFLOW 46
	// #define BR_ERR_X509_BAD_DN 47
	// #define BR_ERR_X509_BAD_TIME 48
	// #define BR_ERR_X509_UNSUPPORTED 49
	// #define BR_ERR_X509_LIMIT_EXCEEDED 50
	// #define BR_ERR_X509_WRONG_KEY_TYPE 51
	// #define BR_ERR_X509_BAD_SIGNATURE 52
	// #define BR_ERR_X509_TIME_UNKNOWN 53
	// #define BR_ERR_X509_EXPIRED 54
	// #define BR_ERR_X509_DN_MISMATCH 55
	// #define BR_ERR_X509_BAD_SERVER_NAME 56
	// #define BR_ERR_X509_CRITICAL_EXTENSION 57
	// #define BR_ERR_X509_NOT_CA 58
	// #define BR_ERR_X509_FORBIDDEN_KEY_USAGE 59
	// #define BR_ERR_X509_WEAK_PUBLIC_KEY 60
	// #define BR_ERR_X509_NOT_TRUSTED 62
	// Alert types for TLSContentType.ALERT messages
	// See RFC 8466, section B.2
	// CLOSE_NOTIFY = 0
	// UNEXPECTED_MESSAGE = 10
	// BAD_RECORD_MAC = 20
	// DECRYPTION_FAILED = 21
	// RECORD_OVERFLOW = 22
	// DECOMPRESSION_FAILURE = 30
	// HANDSHAKE_FAILURE = 40
	// NO_CERTIFICATE = 41
	// BAD_CERTIFICATE = 42
	// UNSUPPORTED_CERTIFICATE = 43
	// CERTIFICATE_REVOKED = 44
	// CERTIFICATE_EXPIRED = 45
	// CERTIFICATE_UNKNOWN = 46
	// ILLEGAL_PARAMETER = 47
	// UNKNOWN_CA = 48
	// ACCESS_DENIED = 49
	// DECODE_ERROR = 50
	// DECRYPT_ERROR = 51
	// EXPORT_RESTRICTION = 60
	// PROTOCOL_VERSION = 70
	// INSUFFICIENT_SECURITY = 71
	// INTERNAL_ERROR = 80
	// INAPPROPRIATE_FALLBACK = 86
	// USER_CANCELED = 90
	// NO_RENEGOTIATION = 100
	// MISSING_EXTENSION = 109
	// UNSUPPORTED_EXTENSION = 110
	// CERTIFICATE_UNOBTAINABLE = 111
	// UNRECOGNIZED_NAME = 112
	// BAD_CERTIFICATE_STATUS_RESPONSE = 113
	// BAD_CERTIFICATE_HASH_VALUE = 114
	// UNKNOWN_PSK_IDENTITY = 115
	// CERTIFICATE_REQUIRED = 116
	// NO_APPLICATION_PROTOCOL = 120

And about the timeout...
I'm not sure yet if this will be kept like this.
Also the TLS port 587 implementation may be quite tricky as I have not yet found any (!!!) example code for Arduino/BearSSL claiming to use TLS port 587.

When connecting to GMail SMTP servers I get error code 3.
Someone at Tasmota's team also tried via Discord and got the same error code.
Ton got the same error code when connecting to KPN mailserver (largest telco in NL)

[TD-er]

@thomastech Do you have NTP enabled? (or some other method to have the system time set)

It should fall-back to the build time of the binary, so I doubt it will really make a difference here...

[thomastech]

Yes, all testing has been with NTP enabled.
I'll post the debug log, but have run out of time for now. It will have to wait until Monday.

[TD-er]

It is Saturday evening, perfect time for debugging, so how can you run out of time? ;)

Just watch out when posting the debug logs that you do wipe off the base64-encoded password/username and your email-address.

[TD-er]

I did discuss with some Tasmota devs about it and apparently also Tasmota does not support sending via port 587.
Only port 465.

So I'm thinking about maybe making a new N003 email plugin which then will use a separate library for all kinds of email-authentications, including of attachments, SSL/TLS/STARTTLS and what not.
This will then leave the current N001_Email plugin as is, only supporting SSL port 465 and for those needing the extras there can be a decision to include N003 and thus have larger bin files as the library is not really small.
At least it is then proven code instead of some hacked code to mimick some kind of 'happy path' of the SMTP protocol.

[thomastech]

I need to check my ISP to see if port 465 is possible. EDIT: Yes, 465 is supported.
Have you gotten GMail to work? That would be my backup plan.
N003 sounds fine to me.

[TD-er]

Have you gotten GMail to work? That would be my backup plan.

Yep works perfectly fine.
Just follow the steps as described at the top of this PR.

Even works when using IPv6.

Edit:
You should have proof ... ;)

[thomastech]

Here is the log (level debug), my ISP, port 465

00:11:04.533 : (191056) Debug  : DEBUG: Formatted String='====================<br/> MilkMate Monitor<br/>====================<br/><br/>MilkMate has rebooted<br/>Location: Regency Store<br/>Local Time: 2024-10-05 2:43:48 PM<br/>Local IP: 192.168.1.103 <br/>WiFi SSID: Wizard1_2G4<br/>WiFi Signal: -36dBm<br/>WiFi Chnl: 6<br/>Firmware Build Date: Oct  5 2024<br/><br/>Milk Level Data: ��1618«<br/>Milk Temperature: 84.0'
00:11:04.546 : (190828) Debug  : DEBUG: Formatted String='====================<br/> MilkMate Monitor<br/>====================<br/><br/>MilkMate has rebooted<br/>Location: Regency Store<br/>Local Time: 2024-10-05 2:43:48 PM<br/>Local IP: 192.168.1.103 <br/>WiFi SSID: Wizard1_2G4<br/>WiFi Signal: -36dBm<br/>WiFi Chnl: 6<br/>Firmware Build Date: Oct  5 2024<br/><br/>Milk Level Data: »1618«<br/>Milk Temperature: 84.0°F<br/>The Cabinet Door is CLOSED'
00:11:04.569 : (191328) Info   : Email: Initializing ...
00:11:04.611 : (191840) Info   : Email: Max Allowed Timeout is 12 secs
00:11:04.612 : (191824) Debug  : NPlugin_001_MTA:  Waitfor: 220 Timeout: 12000 ms Send: ''
00:11:05.626 : (191840) Error  : Timeout while reading input data! str: ``
00:11:05.626 : (191856) Debug  : NPlugin_001_MTA: read line: 
00:11:06.627 : (191840) Error  : Timeout while reading input data! str: ``
00:11:06.627 : (191856) Debug  : NPlugin_001_MTA: read line: 
00:11:07.628 : (191840) Error  : Timeout while reading input data! str: ``
00:11:07.628 : (191856) Debug  : NPlugin_001_MTA: read line: 
00:11:08.629 : (191840) Error  : Timeout while reading input data! str: ``
00:11:08.629 : (191856) Debug  : NPlugin_001_MTA: read line: 
00:11:09.630 : (191840) Error  : Timeout while reading input data! str: ``
00:11:09.630 : (191856) Debug  : NPlugin_001_MTA: read line: 
00:11:10.631 : (191840) Error  : Timeout while reading input data! str: ``
00:11:10.631 : (191832) Debug  : NPlugin_001_MTA: read line: 
00:11:11.632 : (191840) Error  : Timeout while reading input data! str: ``
00:11:11.632 : (191856) Debug  : NPlugin_001_MTA: read line: 
00:11:12.633 : (191840) Error  : Timeout while reading input data! str: ``
00:11:12.633 : (191856) Debug  : NPlugin_001_MTA: read line: 
00:11:13.634 : (191840) Error  : Timeout while reading input data! str: ``
00:11:13.634 : (191856) Debug  : NPlugin_001_MTA: read line: 
00:11:14.635 : (191840) Error  : Timeout while reading input data! str: ``
00:11:14.635 : (191856) Debug  : NPlugin_001_MTA: read line: 
00:11:15.636 : (191840) Error  : Timeout while reading input data! str: ``
00:11:15.636 : (191856) Debug  : NPlugin_001_MTA: read line: 
00:11:16.637 : (191840) Error  : Timeout while reading input data! str: ``
00:11:16.637 : (191856) Debug  : NPlugin_001_MTA: read line: 
00:11:16.638 : (191856) Error  : NPlugin_001_MTA: timeout. 
00:11:16.649 : (191856) Debug  : Email: Initialization Fail
00:11:16.654 : (191616) Error  : Email: Connection Closed With Error. Used header: From: MilkMate <john@myhost.com>
To: thomas@myhost.com
Subject: MilkMate has rebooted!
Reply-To: MilkMate <thomas@myhost.com>
Date: Sat, 05 Oct 2024 14:43:48 -0700
MIME-VERSION: 1.0
Content-type: text/html; charset=UTF-8
X-Mailer: EspEasy v20241005

[TD-er]

By the way, I did find you can't (yet) use MilkMate <thomas@myhost.com>
But if you try thomas@myhost.com it will probably work just fine.
Oh and you should refresh your mail-client from your provider :)

[thomastech]

By the way, I did find you can't (yet) use MilkMate thomas@myhost.com
But if you try thomas@myhost.com it will probably work just fine.

I only entered thomas@myhost.com in the plugin. The included alias is an artifact of the log output.

[uzi18]

@TD-er smtp gmail docs states you can use all three ports for secure connection.

[thomastech]

No success with GMail. Tried ESP_Easy_mega_20241003_collection_B_ESP32_4M316k and ESP_Easy_mega_20241005_collection_B_ESP32_4M316k.

Q1. Should both versions work?
Q2. Regarding the The generated "app password", do I need to remove the spaces between the number sets?
Q3. My ESPEasy N001 plugin still states "Note: SSL/TLS servers NOT supported!" Do I have the correct test build?

BTW, I tried the app password without spaces and with spaces. Both fail.

Here are the logs:

11.013 : (202956) Debug  : Email: Connecting to smtp.gmail.com:465
11.052 : (202808) Debug  : connectClient: 'xxx.xxx.x.xxx' port: 465
11.100 : (202528) Debug  : NPlugin_001_send: timeout: 12000
11.122 : (202192) Info   : Email: Initializing ...
11.123 : (202176) Info   : Email: Max Allowed Timeout is 12 secs
11.124 : (202160) Debug  : NPlugin_001_MTA:  Waitfor: 220 Timeout: 12000 ms Send: ''
12.128 : (202176) Error  : Timeout while reading input data! str: ``
12.129 : (202192) Debug  : NPlugin_001_MTA: read line: 
13.140 : (202176) Error  : Timeout while reading input data! str: ``
13.140 : (202192) Debug  : NPlugin_001_MTA: read line: 
14.141 : (202176) Error  : Timeout while reading input data! str: ``
14.141 : (202192) Debug  : NPlugin_001_MTA: read line: 
15.142 : (202176) Error  : Timeout while reading input data! str: ``
15.142 : (202192) Debug  : NPlugin_001_MTA: read line: 
16.143 : (202176) Error  : Timeout while reading input data! str: ``
16.144 : (202192) Debug  : NPlugin_001_MTA: read line: 
17.144 : (202176) Error  : Timeout while reading input data! str: ``
17.144 : (202192) Debug  : NPlugin_001_MTA: read line: 
18.145 : (202176) Error  : Timeout while reading input data! str: ``
18.145 : (202192) Debug  : NPlugin_001_MTA: read line: 
19.146 : (202176) Error  : Timeout while reading input data! str: ``
19.146 : (202192) Debug  : NPlugin_001_MTA: read line: 
20.147 : (202176) Error  : Timeout while reading input data! str: ``
20.147 : (202192) Debug  : NPlugin_001_MTA: read line: 
21.148 : (202176) Error  : Timeout while reading input data! str: ``
21.148 : (202192) Debug  : NPlugin_001_MTA: read line: 
22.149 : (202176) Error  : Timeout while reading input data! str: ``
22.149 : (202192) Debug  : NPlugin_001_MTA: read line: 
23.150 : (202176) Error  : Timeout while reading input data! str: ``
23.150 : (202192) Debug  : NPlugin_001_MTA: read line: 
23.151 : (202192) Error  : NPlugin_001_MTA: timeout. 
23.162 : (202192) Debug  : Email: Initialization Fail
23.167 : (201964) Error  : Email: Connection Closed With Error. Used header: From: MilkMate <myname@gmail.com>
To: myname@myisp.com
Subject: MilkMate has rebooted!
Reply-To: MilkMate <myname@gmail.com>
Date: Sun, 06 Oct 2024 09:44:23 -0700
MIME-VERSION: 1.0
Content-type: text/html; charset=UTF-8
X-Mailer: EspEasy v20241003

[tonhuisman]

This feature is now included in all ESP32-xx 'custom' and 'MAX' builds.

I think this is the reason...

[tonhuisman]

@thomastech I've built a one-off Collection B build with TLS features enabled for you to test:
ESP_Easy_mega_20241006_collection_B_ESP32_4M316k.zip

[TD-er]

I think there is no reason (yet) not to enable it for all ESP32-xx builds, so I will make a new build where it is enabled for all.

[TD-er]

New build here: https://td-er.nl/ESPEasy/latest/
This should have SSL/TLS enabled for all ESP32-xx builds for email and MQTT.

[thomastech]

It works! Thanks to Ton's insight. And another thanks to TD-er for building ESP_Easy_mega_20241006_collection_B_ESP32_4M316k.

Validated on my ISP's email server and also GMail. Both were a success.

This is a game changer. Going forward all my ESP32 devices will be able to eliminate the smtp2go email "bridge." Too bad ESP8266 can't handle the SSL code bloat, since I still have a few of those devices in the wild.

[TD-er]

If there is an ESP32 in the same network, you can also use p2p to send email via those using the notify command and sendto. (or use rules)

[uzi18]

@TD-er maybe not need a library
in general after EHLO cmd ... we should check if received 250 STARTTLS (actually we check only for 250)
if so server support for TLS, next we send STARTTLS and should received 220 GO AHEAD
from now smtp server reset state to work with TLS/SSL connection

This is small addition to existing code.

[TD-er]

Hmm can you make a PR for it, so we can test it?
Sounds absolutely perfect if it is as simple as you describe it to be.

[uzi18]

@TD-er not sure about TLS/SSL stuff, can't find more info about this transaction ;)