Thanks a lot neoman for this update! Could i add this new version to the pack Chrysalis ?

Sure! Also I made more fixes today in version 1.01:

https://code.google.com/p/simplemail-mos/
http://amigapurist.scenespace.net/simplemail-mos/simplemail-mos-1.01.lha

With this version common root CAs are supported (Google Mail etc.). Also self-signed certs can be validated permanently now.

Quote:

Works great! And with the locale from SM 0.40 is SM 1.01 in german too.

Quote:

Well done man! Thank you very much. A working native SSL E-mail client was really missing.

Thanks a lot guys. I really appreciate that :)
Currently I'm coding on a real folder tree for IMAP accounts.

DanicaTalos: Ah I forgot that locale, I will add it.

Okay did a quick test. Current SimpleMail-MOS 1.0.1 is vulnerable to man in the middle attacks due to missing hostname validation.

The problem is that even though the certificate chain is validated, openssl itself doesn't actually verify that the certificate belongs to this specific hostname. The application itself must take care of this. Omitting this verification is very common implementation mistake.

Instructions on how to remedy this can be found from the openssl wiki: http://wiki.openssl.org/index.php/Hostname_validation


It is also recommended to disable the SSL3.0 support to mitigate the POODLE vulnerability. This can be done with: SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); It is also be possible to add option to enable SSL3.0 and by default have it disabled. That way user can manually downgrade the security if no other option is available for connectivity.

[ Edited by Piru On 2014/10/28 4:30 ]

Piru: You're right - I ported SimpleMail to OpenSSL without touching the SSL implementation so there is still no hostname validation. I will add that in the next version :)

Hello,

a new day, a new release 1.1, beta for now, because I'm not sure if I got the hostname validation completely right. But I also added other features:

- Added hostname verification
- Added Checkboxes to allow SSLv2/V3 in Configuration/Receive Mail
- Added real IMAP folder tree with arbitrary depth

https://code.google.com/p/simplemail-mos/
http://amigapurist.scenespace.net/simplemail-mos/simplemail-mos-1.1beta.lha

Piru: What is your setup for a man in the middle attack so I can properly test it?

Quote:

It's a bit different for various tests.


1. For hostname validation I just add a local 'hosts' entry that points to a server with different name. Say:

64.233.161.109 mail.hacktest.lol


(the specific IP is run by google. The important part is that port 995 is open with a valid cert.

Finally, I configure the app to use mail.hacktest.lol 995 .. connection should fail due to hostname mismatch.


2. To verify that the actual chain validation is correct I use sslsniff. At the routing linux box I do:

# iptables -t nat -A PREROUTING -p tcp --destination-port 995 -j REDIRECT --to-ports 4995
# sslsniff -a -c /usr/share/sslsniff/certs/wildcard -s 4995 -w /dev/stdout

Then I just attempt to use any imaps (port 995) and see if the connection is actually MitMed by sslsniff.

[ Edited by Piru On 2014/10/28 18:57 ]

Thanks, Piru. I think I found it Hostname verification is OK now.

http://amigapurist.scenespace.net/simplemail-mos/simplemail-mos-1.1.lha

So, what is the preferred setup then? Allow SSLv2, but not SSLv3? Or don't allow either of those?

Quote:

Both SSL v2 and SSL v3 are insecure and should no longer be used. Servers should be configured to only accept TLS v1.0, v1.1 and / or v1.2 connections.

Hi neoman,

at first I want to thank you for your work on SimpleMail. Every progress to this program brings us forward. But I do not think it is a good idea to fork from SimpleMail. Why is a fork needed to add some features? Every platform of the four should benefit from it. I cannot use MOS udnerway but I can use OS3 and aROS. But I cannot mail because SimpleMail does not connect to the Mail server. A working IMAP program (finally!) would be great. If you do not have other flavours then you should ask others to test like the maintainers of SimpleMail. They would be happy to have more workers in the team and also MOS would benefit from it by having these changes in the official project. Also many more people could test it and report back errors or other input.

"All newer SSL/TLS protocols are working with SimpleMail-MOS now." Not for me still (same as the real SimpleMail). Your fork does not connect to the mail server that I use anway, same as the original SimpleMail. All I get is a "connection error" when trying to fetch mails. The settings are correct because they work in other programs (non Amiga). SimpleMail has no additional information, no log file, just two words in the message window. Even less than YAM. So I can not check what is going wrong.


Piru, good hint about security. BTW: I get a lot of messages like "SSL error" or "peer certificate cannot be authenticated with given CA certificates." when I browse websites with OWB. Is this information correct in general or is it due to old OWB/Webkit? Our OW is almost one year old. I would like to know before telling the webmasters to update their servers.

Great work, works really fast and stable!
It would be cool when sent messages automaticly moved from local sent folder to imap sent folder.

> I get a lot of messages like "SSL error" or "peer certificate cannot be authenticated
> with given CA certificates." when I browse websites with OWB.

http://morph.zone/modules/newbb_plus/viewtopic.php?forum=3&topic_id=9462&start=46
http://morph.zone/modules/newbb_plus/viewtopic.php?forum=9&topic_id=6816&start=12

Have you tried this?

connor: You're not the first asking these questions. I already answered them in a german Amiga forum (amiga-news) but to make it short, I want to use the time I have to develop.

I'm willing to port my changes to the other systems. But I don't have the other systems for testing. I'm currently searching for someone who is willing to build images with test/development-systems which I can run in VMWare/UAE.

I forked SimpleMail because I tried to contact the original authors 4 months before without getting any answer. But I wanted to publish my work because I noticed a working mail client is necessary.

If you got problems with SSL connections, please provide following information:

- POP3/IMAP/SMTP hosts and their ports, also all checkboxes you clicked in the configuration dialog
- Start "SimpleMail DEBUGLEVEL=20 DEBUGOUT=log.txt", try to connect to your mail servers, exit SimpleMail, and send me log.txt
- MorphOS version and output of the command "openssl version"

THank you for your answer and your will to cooperate. This will be the best for all users of this program. I just hope that you will contribute to the original project to not have two half served versions of the same program.

To the SSL probem: The funny thing is: my settings were saved from the last try with the standard version and I got the connection errors. Immediately when I started it with DEBUGOUT instead then it worked. Several times before with the standard version it did not work. I tried again after some days and it still works. After that I saw that there is an update. I installed it and SimpleMail still can pull the mails.