ssl & startls email - Shibby(Toastman?) openssl s_client patch

Discussion in 'Tomato Firmware' started by jerrm, Mar 29, 2013.

  1. jerrm

    jerrm Network Guru Member

    I finally worked through adding s_client support to Shibby. This allows using the built in sendmail to send email through servers that require either an ssl or starttls connection.

    I'd love to see this added to the official builds, ideally in the 8MB builds, but I'd be happy with the builds over 8MB.

    This was done using Shibby 108, but looks like it should apply to Toastman too (Toastman not tested at this point).

    Patch only adds 20K to the image:
    Shibby 108 from git:
    Creating TRX: image/tomato-K26USB-1.28.-git-with-build-fixes-MIPSR2-VPN.trx
    TRX Image:
    Total Size .... : 7868416 (7684.0 KB) (7.5 MB)
      Images ...... : 7866580 (0x007808d4)
      Padding ..... : 1808
    Shibby 108 With s_client:
    Creating TRX: image/tomato-K26USB-1.28..s_client2.MIPSR2-VPN.trx
    TRX Image:
    Total Size .... : 7888896 (7704.0 KB) (7.5 MB)
      Images ...... : 7886280 (0x007855c8)
      Padding ..... : 2588

    A sample script using this (from merlin's wiki):
    FROMNAME="Your Router"
    echo "Subject: WAN state notification" >/tmp/mail.txt
    echo "From: \"$FROMNAME\" <$FROM>" >>/tmp/mail.txt
    echo "Date: `date -R`" >>/tmp/mail.txt
    echo "I just got connected to the Internet." >>/tmp/mail.txt
    echo "My new IP is: `nvram get wan0_ipaddr`" >>/tmp/mail.txt
    echo "" >>/tmp/mail.txt
    echo "--- " >>/tmp/mail.txt
    echo "Your friendly router." >>/tmp/mail.txt
    echo "" >>/tmp/mail.txt
    cat /tmp/mail.txt | sendmail -H"exec openssl s_client -quiet \
    -connect -tls1 -starttls smtp" \
    -f"$FROM" \
    -au"$AUTH" -ap"$PASS" $TO
    rm /tmp/mail.txt

    EDIT: 2013-05-06 - removed unneeded module references from patch. Updated build summaries to reflect new sizes. Image size now only about 20K larger (was originally 25K larger).

    Attached Files:

  2. lancethepants

    lancethepants Network Guru Member

    I've always been frustrated that s_client has not been included in tomato. There's so many areas where this could be useful (like OpenVPN connection notifications).

    Currently I've been using Fuller versions of OpenSSL loaded in /opt or Python too, but I hate having to depend on external devices for system critical function, ie, OpenVPN won't allow connections unless it can successfully send an email when it is setup to.

    I would like to see this in builds where size isn't so much of an issue, like an AIO firmware.
    philess likes this.
  3. jerrm

    jerrm Network Guru Member

    Exactly why I got this going. I have several units where the only reason I have usb and a /opt is to load msmtp. My scripts often could live in jffs or even nvram in many instances.

    Thought I'd stop asking about it, work out what needed to be done, and hope one of the developers take the bait.

    There is no reason not to include it in the larger builds. The 8MB builds you can argue about, but I'd really appreciate it there too.
  4. mstombs

    mstombs Network Guru Member

    Nice, I've often wanted ability to use gmail because it allows config to be non-isp specific, and potentially very useful in dual/multi-wan routers!
  5. leandroong

    leandroong LI Guru Member

  6. koitsu

    koitsu Network Guru Member

    Be aware this script is likely to cause anti-spam software to mark mails as spam given some mistakes made in generating SMTP headers (not envelope). I would be very cautious to consider using this.
  7. jerrm

    jerrm Network Guru Member

    Yeah, it may be a little too brief. Only pulled it down as a quick cut and paste example for the command line. Not trying to teach message formatting.

    My "mailfile" script would have been too much for folks to wade through - reads (multiple) config files, command line options, tomato version uses bb sendmail or msmtp (if available), etc, etc. Even then, I know it still has some technical mime/header issues. My script isn't perfect either, but I've been using the same basic wrapper around various mailers on multiple platforms for 10+ years with no issues.
  8. koitsu

    koitsu Network Guru Member

    The issue isn't with brevity, it's with 1) a From: header that lacks spaces between the quoted realname and the actual Email address in brackets, and 2) a Date: header that might not be what most things expect -- just checked this, date -R does emit an acceptable syntax, so ignore that. The From: thing is quite major however.

    Also whoever wrote that script apparently has no familiarity with heredocs (more details). The above is a great/perfect example of where one can come in handy to greatly increase legibility of output. Example, with From: fix:

    cat << EOF > /tmp/mail.txt
    From: "$FROMNAME" <$FROM>
    Subject: WAN state notification
    Date: `date -R`
    I just got connected to the Internet.
    My new IP is: `nvram get wan0_ipaddr`
    Your friendly router.
    Be sure to include a space after the "--" characters as well (i.e. hyphen hyphen space newline) -- that's how mail clients distinguish a signature from the rest of the body.

    I would also suggest assigning the temp file name to a variable and using $$ (for the PID), e.g. tmpfile="/tmp/mail.txt.$$" then later rm $tmpfile, otherwise if this script takes too long to run and there are multiple instances, due to lack of a global semaphore / locking capability, you could end up with two scripts running simultaneously + overwriting the same file.
  9. roadkill

    roadkill Super Moderator Staff Member Member

    I think it's a nice feature ;)
  10. leandroong

    leandroong LI Guru Member

    Entware optware for "How to install msmtp and configuration"

    working msmstprc setting sample:
    account default
    port 587
    protocol smtp
    auth on
    #auth plain
    password whocares
    syslog LOG_MAIL
    # Use TLS.
    tls on
    tls_starttls on
    tls_certcheck off
    date: 03.31.2013
    subject: Test-email
    This is a testmail from your router in order to see that email works.
    to send mail: msmtp -t </tmp/testmail

    Tested working...
  11. jerrm

    jerrm Network Guru Member

    I routinely use msmtp now, but it is incredibly heavy for what should be such a simple task, and often is the only thing I need entware for.

    Email should be part of the basic package- and it is - but more and more servers are requiring a secured connection.

    With a 3K wrapper script, its just as simple to use as msmtp.

    I don't know if a lighter weight/easier to implement/easier to maintain in the tree solution exists - but I would be happy to proven wrong.
  12. shibby20

    shibby20 Network Guru Member

    @jerrm why do you add "ca.o ocsp.o"? Do we need this? s_client is compiling without errors without those two object.

  13. jerrm

    jerrm Network Guru Member

    If I recall correctly, it failed at install. Thought I tried all permutations without additional modules, but I was doing it in 5 minute bursts of free time between wrangling the kids. Don't have access to the build machine now - will look at it tonight.
  14. jerrm

    jerrm Network Guru Member

    You are right, ca and ocsp references are not needed. Built everything from a fresh git pull without them and it completed OK. Flashed and tested straight ssl and starttls, with and without cert verification, along with a few non-mail tests - it all worked fine. Looks like additional size was reduced by 4-5K without the unneeded modules.

    I'm sure I had to add those modules back when testing. I had originally built a more complete openssl, and then cut back to only adding s_client. Only thing I can think of is something wasn't being cleaned completely.

    Whatever the reason for my screw up, it's better and smaller now.

    Not that you need it, but I updated the original post and patch for completeness
    shibby20 likes this.
  15. Kevin Darbyshire-Bryant

    Kevin Darbyshire-Bryant Networkin' Nut Member

    A useful and sensible addition in my opinion. Thank you.
  16. srouquette

    srouquette Network Guru Member

    +1 for openssl s_client.
  17. shibby20

    shibby20 Network Guru Member

    litttle info for devs: we need include to image. This is important for a smaller builds without build-in openVPN.

    v109 has s_client and will be released today ;)
    jerrm likes this.
  18. srouquette

    srouquette Network Guru Member

    awesome, thanks :)
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice