Software : : SimpleMail-MOS 1.00
Posted By: neoman. on 2014/10/27 11:14:41
The well-known mail client SimpleMail for MorphOS got quite outdated and incompatible recently, so mail servers like Google Mail were not functioning properly with SSL anymore. Also AmiSSL is quite patchworked, so I ported OpenSSL into SimpleMail. All newer SSL/TLS protocols are working with SimpleMail-MOS now. Additionally I fixed a bug in the IMAP folder index implementation, so huge IMAP accounts can be fetched now.

I released that as a fork called SimpleMail-MOS in which I will add features and fixes particular for MorphOS. When the authors of SimpleMail make some changes to their client in future I will merge them into this fork to keep it up-to-date.

You can find the source and a download link here: https://code.google.com/p/simplemail-mos/
 
  • Caterpillar
    Caterpillar
    neoman
    Joined: 2013/7/29
    Posts: 33
    From: .de
    Sure! Also I made more fixes today in version 1.01:

    https://code.google.com/p/simplemail-mos/
    http://amigapurist.scenespace.net/simplemail-mos/simplemail-mos-1.01.lha

    With this version common root CAs are supported (Google Mail etc.). Also self-signed certs can be validated permanently now.
  • »2014/10/27 15:24
    Profile
  • Order of the Butterfly
    Order of the Butterfly
    DanicaTalos
    Joined: 2010/10/15
    Posts: 365
    From: 01101110011100...
    Quote:

    Sure! Also I made more fixes today in version 1.01:

    https://code.google.com/p/simplemail-mos/
    http://amigapurist.scenespace.net/simplemail-mos/simplemail-mos-1.01.lha

    With this version common root CAs are supported (Google Mail etc.). Also self-signed certs can be validated permanently now.


    Works great! And with the locale from SM 0.40 is SM 1.01 in german too.
    Mac Mini G4 -1,50 GHz - 64MB VRAM - 1GB RAM - 60GB SSD - MorphOS 3.8
    PowerBook G4 - 1,67 GHz - 128MB VRAM - 2GB RAM - 64GB SSD - Kubuntu 12.04
  • »2014/10/27 19:28
    Profile
  • Order of the Butterfly
    Order of the Butterfly
    defender
    Joined: 2011/4/24
    Posts: 245
    From:
    Quote:

    Sure! Also I made more fixes today in version 1.01


    Well done man! Thank you very much. A working native SSL E-mail client was really missing.
    :-)
    PowerMac 3.6 - Radeon 9000_64Mb - 1,5Gb Ram - SB Live - MorphOS 3.9
    CD32 - PowerBook 1,67GHz 1GB/100GB - MorphOS 3 reg. 1455
  • »2014/10/27 19:45
    Profile Visit Website
  • Caterpillar
    Caterpillar
    neoman
    Joined: 2013/7/29
    Posts: 33
    From: .de
    Thanks a lot guys. I really appreciate that :)
    Currently I'm coding on a real folder tree for IMAP accounts.

    DanicaTalos: Ah I forgot that locale, I will add it.
  • »2014/10/27 20:08
    Profile
  • MorphOS Developer
    Piru
    Joined: 2003/2/24
    Posts: 549
    From: finland, the l...
    Okay did a quick test. Current SimpleMail-MOS 1.0.1 is vulnerable to man in the middle attacks due to missing hostname validation.

    The problem is that even though the certificate chain is validated, openssl itself doesn't actually verify that the certificate belongs to this specific hostname. The application itself must take care of this. Omitting this verification is very common implementation mistake.

    Instructions on how to remedy this can be found from the openssl wiki: http://wiki.openssl.org/index.php/Hostname_validation


    It is also recommended to disable the SSL3.0 support to mitigate the POODLE vulnerability. This can be done with: SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); It is also be possible to add option to enable SSL3.0 and by default have it disabled. That way user can manually downgrade the security if no other option is available for connectivity.

    [ Edited by Piru On 2014/10/28 4:30 ]
  • »2014/10/27 23:43
    Profile
  • Caterpillar
    Caterpillar
    neoman
    Joined: 2013/7/29
    Posts: 33
    From: .de
    Piru: You're right - I ported SimpleMail to OpenSSL without touching the SSL implementation so there is still no hostname validation. I will add that in the next version :)
  • »2014/10/28 6:58
    Profile
  • Caterpillar
    Caterpillar
    neoman
    Joined: 2013/7/29
    Posts: 33
    From: .de
    Hello,

    a new day, a new release 1.1, beta for now, because I'm not sure if I got the hostname validation completely right. But I also added other features:

    - Added hostname verification
    - Added Checkboxes to allow SSLv2/V3 in Configuration/Receive Mail
    - Added real IMAP folder tree with arbitrary depth

    https://code.google.com/p/simplemail-mos/
    http://amigapurist.scenespace.net/simplemail-mos/simplemail-mos-1.1beta.lha

    Piru: What is your setup for a man in the middle attack so I can properly test it?
  • »2014/10/28 14:45
    Profile
  • MorphOS Developer
    Piru
    Joined: 2003/2/24
    Posts: 549
    From: finland, the l...
    Quote:

    Piru: What is your setup for a man in the middle attack so I can properly test it?


    It's a bit different for various tests.


    1. For hostname validation I just add a local 'hosts' entry that points to a server with different name. Say:

    64.233.161.109 mail.hacktest.lol


    (the specific IP is run by google. The important part is that port 995 is open with a valid cert.

    Finally, I configure the app to use mail.hacktest.lol 995 .. connection should fail due to hostname mismatch.


    2. To verify that the actual chain validation is correct I use sslsniff. At the routing linux box I do:

    # iptables -t nat -A PREROUTING -p tcp --destination-port 995 -j REDIRECT --to-ports 4995
    # sslsniff -a -c /usr/share/sslsniff/certs/wildcard -s 4995 -w /dev/stdout

    Then I just attempt to use any imaps (port 995) and see if the connection is actually MitMed by sslsniff.

    [ Edited by Piru On 2014/10/28 18:57 ]
  • »2014/10/28 15:56
    Profile
  • Caterpillar
    Caterpillar
    neoman
    Joined: 2013/7/29
    Posts: 33
    From: .de
    Thanks, Piru. I think I found it :-) Hostname verification is OK now.

    http://amigapurist.scenespace.net/simplemail-mos/simplemail-mos-1.1.lha
  • »2014/10/28 16:12
    Profile
  • ASiegel
    Joined: 2003/2/15
    Posts: 1349
    From: Central Europe
    Quote:

    So, what is the preferred setup then? Allow SSLv2, but not SSLv3? Or don't allow either of those?


    Both SSL v2 and SSL v3 are insecure and should no longer be used. Servers should be configured to only accept TLS v1.0, v1.1 and / or v1.2 connections.
  • »2014/10/28 16:37
    Profile
  • Priest of the Order of the Butterfly
    Priest of the Order of the Butterfly
    connor
    Joined: 2007/7/29
    Posts: 545
    From:
    Hi neoman,

    at first I want to thank you for your work on SimpleMail. Every progress to this program brings us forward. But I do not think it is a good idea to fork from SimpleMail. Why is a fork needed to add some features? Every platform of the four should benefit from it. I cannot use MOS udnerway but I can use OS3 and aROS. But I cannot mail because SimpleMail does not connect to the Mail server. A working IMAP program (finally!) would be great. If you do not have other flavours then you should ask others to test like the maintainers of SimpleMail. They would be happy to have more workers in the team and also MOS would benefit from it by having these changes in the official project. Also many more people could test it and report back errors or other input.

    "All newer SSL/TLS protocols are working with SimpleMail-MOS now." Not for me still (same as the real SimpleMail). Your fork does not connect to the mail server that I use anway, same as the original SimpleMail. All I get is a "connection error" when trying to fetch mails. The settings are correct because they work in other programs (non Amiga). SimpleMail has no additional information, no log file, just two words in the message window. Even less than YAM. So I can not check what is going wrong.


    Piru, good hint about security. BTW: I get a lot of messages like "SSL error" or "peer certificate cannot be authenticated with given CA certificates." when I browse websites with OWB. Is this information correct in general or is it due to old OWB/Webkit? Our OW is almost one year old. I would like to know before telling the webmasters to update their servers.
  • »2014/10/28 17:26
    Profile
  • Priest of the Order of the Butterfly
    Priest of the Order of the Butterfly
    eliot
    Joined: 2004/4/15
    Posts: 560
    From:
    Great work, works really fast and stable!
    It would be cool when sent messages automaticly moved from local sent folder to imap sent folder.
    regards
    eliot
  • »2014/10/28 18:32
    Profile
  • Andreas_Wolf
    Joined: 2003/5/22
    Posts: 11715
    From: Germany
    Online!
    > I get a lot of messages like "SSL error" or "peer certificate cannot be authenticated
    > with given CA certificates." when I browse websites with OWB.

    http://morph.zone/modules/newbb_plus/viewtopic.php?forum=3&topic_id=9462&start=46
    http://morph.zone/modules/newbb_plus/viewtopic.php?forum=9&topic_id=6816&start=12

    Have you tried this?
  • »2014/10/28 19:10
    Profile
  • Caterpillar
    Caterpillar
    neoman
    Joined: 2013/7/29
    Posts: 33
    From: .de
    connor: You're not the first asking these questions. I already answered them in a german Amiga forum (amiga-news) but to make it short, I want to use the time I have to develop.

    I'm willing to port my changes to the other systems. But I don't have the other systems for testing. I'm currently searching for someone who is willing to build images with test/development-systems which I can run in VMWare/UAE.

    I forked SimpleMail because I tried to contact the original authors 4 months before without getting any answer. But I wanted to publish my work because I noticed a working mail client is necessary.

    If you got problems with SSL connections, please provide following information:

    - POP3/IMAP/SMTP hosts and their ports, also all checkboxes you clicked in the configuration dialog
    - Start "SimpleMail DEBUGLEVEL=20 DEBUGOUT=log.txt", try to connect to your mail servers, exit SimpleMail, and send me log.txt
    - MorphOS version and output of the command "openssl version"
  • »2014/10/29 7:42
    Profile
  • Priest of the Order of the Butterfly
    Priest of the Order of the Butterfly
    connor
    Joined: 2007/7/29
    Posts: 545
    From:
    THank you for your answer and your will to cooperate. This will be the best for all users of this program. I just hope that you will contribute to the original project to not have two half served versions of the same program.

    To the SSL probem: The funny thing is: my settings were saved from the last try with the standard version and I got the connection errors. Immediately when I started it with DEBUGOUT instead then it worked. Several times before with the standard version it did not work. I tried again after some days and it still works. After that I saw that there is an update. I installed it and SimpleMail still can pull the mails.
  • »2014/11/4 16:49
    Profile