Notifications (E-Mail)

[sfx2000]

What can we do about this, ask the busybox maintainer to fix it ?

I know I could probably dig around RMerlin's github, but probably faster/easier to ask what version of BusyBox is included here?

 

[RMerlin]

1.20.1.

 

[john9527]

1.20.1.

Are you sure? On my fork....

admin@AC68P-XXXXX:/tmp/home/root# busybox
BusyBox v1.20.2 (2016-06-21 07:24:57 MST) multi-call binary.
Copyright (C) 1998-2011 Erik Andersen, Rob Landley, Denys Vlasenko
and others. Licensed under GPLv2.
See source distribution for full notice.

 

[RMerlin]

Are you sure? On my fork....

admin@AC68P-XXXXX:/tmp/home/root# busybox
BusyBox v1.20.2 (2016-06-21 07:24:57 MST) multi-call binary.
Copyright (C) 1998-2011 Erik Andersen, Rob Landley, Denys Vlasenko
and others. Licensed under GPLv2.
See source distribution for full notice.

Could be .2, I was going from memory.

 

[Jean-Roch Blais]

I know I could probably dig around RMerlin's github, but probably faster/easier to ask what version of BusyBox is included here?

I'm using v1.22.1

 

[Jean-Roch Blais]

Could be .2, I was going from memory.

on my ASUSWRT-Merlin RT-AC66U_3.0.0.4, busybox is v1.20.2

 

[sfx2000]

Thx - there's a couple of perhaps "undocumented" switches with the sendmail app inside busybox - see -d...

 

[Jean-Roch Blais]

...
// The problem here is some servers delay initial 220 message,
// and consider client to be a spammer if it starts sending cmds
// before 220 reached it. The code below is unsafe in this regard:
// in non-STARTTLSed case, we potentially send NOOP before 220
// is sent by server.
// Ideas? (--delay SECS opt? --assume-starttls-helper opt?)
code = smtp_check("NOOP", -1);
if (code == 220)
// we got 220 - this is not STARTTLSed connection,
// eat 250 response to our NOOP
smtp_check(NULL, 250);
else
if (code != 250)[/code]

What can we do about this, ask the busybox maintainer to fix it ?
:-(

Ok I "humbly and politely" asked on busybox's mailing list about sendmail strange behavior, but didn't get any answer...yet ! Correction I have an answer now (july 16 2016), which is to try
adding sleep(3) before code = smtp_check("NOOP", -1) line, in sendmail source code. Thanks to BusyBox sendmail's maintainer M. Vlasenko !
I agree it's a minor bug, it just makes using ssl with the videotron smpt server unreliable !!!

For other amateurs like me who might face similar problems with their ISP's smtp server, check if they offer port 587, that requires authentification but no ssl. So to get busybox's sendmail to send me notifications from my firewall, I'm now using relais.videotron.ca:587 and it works quite well sending emails to other domains.

Here is my script that qets executed every day, and sends email whenever the ip changes or every week in any cases, I came up with this when dyndns went slickly greedy... oups... I meant commercial...

firewall# cat mailIP
#!/bin/sh
#
# transmet l'adresse ip quand il change...
#
#
IPNOW=$(ip addr | grep 255.255. | sed -n 's/^ *inet *\([.0-9]*\).*/\1/p')
if grep -q $IPNOW /tmp/MyIP.log
then
echo "No change"
else
echo $IPNOW > /tmp/MyIP.log
echo "Subject: l'adresse IP aujourd'hui: $IPNOW !!! " > /tmp/MyIP1.log
echo "From: root@firewall" >> /tmp/MyIP1.log
echo "Date:  `date -R`" >> /tmp/MyIP1.log
echo "" >> /tmp/MyIP1.log
echo "Salut mon petit JR..." >> /tmp/MyIP1.log
echo "" >> /tmp/MyIP1.log
echo "nouvel IP:  $IPNOW" >> /tmp/MyIP1.log
echo "Uptime est: `uptime | cut -d ',' -f1 | sed 's/^.\{12\}//g'`" >> /tmp/MyIP1.log
echo "" >> /tmp/MyIP1.log
echo "---- " >> /tmp/MyIP1.log
echo "de la part de ton gentil Routeur !!!" >> /tmp/MyIP1.log
echo "" >> /tmp/MyIP1.log
echo "" >> /tmp/MyIP1.log
sendmail -S relais.videotron.ca:587 </tmp/MyIP1.log -froot@firewall -auxxxxxxxx -apyyyyyyyy blablabla@gmail.com
fi
  firewall#

Note: you might have to change the "...| grep 255.255. | ..." to suit your specific router... or simply use `nvram get wan0_ipaddr`if on ASUS.

Thanks everyone !
jrb

 

[steelskinz]

Will the above script works for gmail ? Thanks

I tried the old script with GeoTrust_Primary_CA.pem but got

verify error:num=20:unable to get local issuer certificate

edit: nevermind, it's working even with that error

 

[steelskinz]

Worked from command line but now won't..

 

[Jean-Roch Blais]

....Correction I have an answer now (july 16 2016), which is to try
adding sleep(3) before code = smtp_check("NOOP", -1) line, in sendmail source code.

...

Ok I received this mail from M. Vlasenko for a workaround that will correct sendmail when using the -H option with touchy SMTP servers ...

commit b9f56e82da9a0821011e1e0924acd1d781643070
Author: Denys Vlasenko <vda.linux@googlemail.com>
Date: Wed Sep 7 13:16:33 2016 +0200

sendmail: make it possible to pause after connection helper is started

If a non-starttls helper is in use, initial 220 response is processed by us,
not by helper.
Some servers consider us to be a spammer if we don't wait for it.

It is not in protocol, but it is a real-life problem.

The workaround in this patch is a magic envvar, $SMTP_ANTISPAM_DELAY:

...
-H 'PROG ARGS' Run connection helper. Examples:
openssl s_client -quiet -tls1 -starttls smtp
-connect smtp.gmail.com:25
openssl s_client -quiet -tls1 -connect smtp.gmail.com:465
$SMTP_ANTISPAM_DELAY: seconds to wait
after helper connect
...

By using it, people can tweak sendmail behavior even if sendmail invocation
is buried in some scripts.

 

[lahma]

For anyone still trying to send email through Gmail, after MUCH trial and error, this is what eventually worked for me on my Asus RT-AC68U running Merlin:

Download the trusted certificate:

wget -c -O /jffs/configs/Equifax_Secure_Certificate_Authority.pem http://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.pem --no-check-certificate

And then use the following script as a guide for creating your own:

#!/bin/sh

# The following cmd must be run one time in SSH prior to running this script:
#     wget -c -O /jffs/configs/Equifax_Secure_Certificate_Authority.pem http://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.pem --no-check-certificate

# For this example to work, the following variables must be modified:
#     FROM, AUTH, PASS, FROMNAME, TO

# Additionally, you MAY need to "Turn on" the sender Gmail account's
# "Access for less secure apps" setting. I turned it on and have not tried
# turning it back off (does not matter to me since I am using a throwaway
# Gmail account used only for this purpose). After logging into your Gmail
# account, this setting can be found at the following URL:
#     https://www.google.com/settings/security/lesssecureapps

# To execute this script, make sure you have given it executable permissions,
# and then either execute it directly from SSH:
#     cd /path/you/saved/script/to
#     ./nameOfScript.sh
# Or, save the script as one of your jffs startup scripts, such as:
#     /jffs/scripts/wan-start

# If you run the script from SSH, your output should look something like
# the following (if the email was sent successfully):
#     username@routername:/tmp/mnt/USB01/scripts# ./SendEmailTest.sh
#     depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
#     verify return:1
#     depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
#     verify return:1
#     depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
#     verify return:1
#     depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = smtp.gmail.com
#     verify return:1
#     250 SMTPUTF8

FROM="YourEmail@gmail.com"
AUTH="YourEmail@gmail.com"
PASS="YourPassword"
FROMNAME="John Doe"
TO="recipient@example.com"

ntpclient -h pool.ntp.org -s &> /dev/null
sleep 5

echo "Subject: WAN Connection" >/tmp/mail.txt
echo "From: \\"$FROMNAME\\"<$FROM>" >>/tmp/mail.txt
echo "Date: `date -R`" >>/tmp/mail.txt
echo "" >>/tmp/mail.txt
echo "My WAN IP is: `nvram get wan0_ipaddr`" >>/tmp/mail.txt
echo "Uptime is: `uptime | cut -d ',' -f1 | sed 's/^.\{12\}//g'`" >>/tmp/mail.txt
echo "" >>/tmp/mail.txt

cat /tmp/mail.txt | sendmail -H"exec openssl s_client -quiet \
-CAfile /jffs/configs/Equifax_Secure_Certificate_Authority.pem \
-tls1 -starttls smtp -connect smtp.gmail.com:587" \
-f"$FROM" \
-au"$AUTH" -ap"$PASS" $TO \

rm /tmp/mail.txt

 

[steelskinz]

Thanks. I hadn't test it as it is currently working for me.

I don't know why but i had the script before i installed ab solution. When on AB i enable mail it makes my WAN notification script works again.. maybe the certificate..

 

[thelonelycoder]

Thanks. I hadn't test it as it is currently working for me.

I don't know why but i had the script before i installed ab solution. When on AB i enable mail it makes my WAN notification script works again.. maybe the certificate..

I'm not sure it's the certificate. In my part of the script I explicitly include the cert. But maybe some caching miracle helps it. Anyway, good to hear AB does some good.

 

[smcgrath12]

I stumbled on this thread while researching DDNS updates via scripting in Merlin. I had the same error message about certificates when using the script to send email via my GMail account. I tried the wget command to get the pem file, but the error persisted.

Anyways, if someone wants to fix this error (only talking about GMail with a valid email on GMail) and has a windows computer, I did the following and it fixed the error. I am sure you can minimize steps or can get the certs using OpenSSL on the router itself, but here is what I did:

1. Putty into your router.

2. Run "openssl s_client -connect smtp.gmail.com:587 -starttls smtp".

3. Now, copy the certificate from the output of Step 2
(All text within "----- BEGIN CERTIFICATE -----" & "----- END CERTIFICATE -----", including the Begin/End lines).

4. Save this blob of text to a file, something like "GMail.crt" on your computer (Not router).

5. Now, right-click this ".crt" file and select "Open" (NOT "Install Certificate").
This will open the certificate in MMC view.

6. Go the tab that says "Certification Path". This path lists the full certificate chain.
You will see the full chain from top level to bottom level. Something like:

GeoTrust Global CA --> Google Internet Authority G2 --> smtp.gmail.com

7. Select the Root CA (in the chain above, it is "GeoTrust Global CA").
Once you select this certificate, the button for "View Certificate" will be enabled.
Click on this button.

8. Another MMC window for just this certificate will pop up.

9. Next, in this new popup window, click on "Details".
Once, you click on "Details", you will see the button for "Copy To File" enabled.
Click on this button.

10. A new "Certificate Export Wizard" will start.
Export the certificate as "Base-64 encoded X.509 (.CER)".
Give a name like "GMail_Root_CA.cer" to this file and save this file to your computer.

11. Next, change the file extension of this ".cer" file to ".pem"

12. At this point, you should have a "GMail_Root_CA.pem" file sitting on your computer.

13. Transfer this .pem file to /jffs/configs folder and make sure you reference this file in your mail script.

 

[Jean-Roch Blais]

.......

13. Transfer this .pem file to /jffs/configs folder and make sure you reference this file in your mail script.

Well thanks ! I followed your recipe words for words, and wham ! it works fine ... I'm using this stanza:

cat /tmp/mail.txt | sendmail -H"exec openssl s_client -quiet -CAfile GMail_Root_CA.pem -connect smtp.gmail.com:587 -tls1 -starttls smtp" -f"$FROM" -au"$AUTH" -ap"$PASS" $TO

 

[sfx2000]

Ran into this the other day - debian has a little sendmail agent - perfect for something like this, and it supports secure SMTP...

sSMTP

It's not a full blown MTA like Sendmail/Postfix/QMail, but might be perfect here...

https://packages.debian.org/sid/ssmtp

Might take a bit of work to integrate - but it looks perfect for burping off notifications and logs, etc...

 

[Jean-Roch Blais]

Ran into this the other day - debian has a little sendmail agent - perfect for something like this, and it supports secure SMTP...

sSMTP

It's not a full blown MTA like Sendmail/Postfix/QMail, but might be perfect here...

https://packages.debian.org/sid/ssmtp

Might take a bit of work to integrate - but it looks perfect for burping off notifications and logs, etc...

Hello, would it be a good choise for an embedded system though ?

 

[sfx2000]

Hello, would it be a good choise for an embedded system though ?

It's the primary purpose - that way someone doesn't have to install postfix/sendmail or other SMTP MTA...

ssmtp acts like an MTA, but it's primary purpose is to send outgoing items (like notifications)

 

[RMerlin]

Both Curl and Busybox's sendmail applet can do this already, and are part of the firmware. Quick example using Curl and a mail stored in /tmp/mail.txt:

curl --url smtps://$SMTP:$PORT \
  --mail-from "$FROM_ADDRESS" --mail-rcpt "$TO_ADDRESS" \
  --upload-file /tmp/mail.txt \
  --ssl-reqd \
  --user "$USERNAME:$PASSWORD" --insecure \
  -v