D-Link Forums
The Graveyard - Products No Longer Supported => IP Cameras => DCS-2670L => Topic started by: PoBe on August 27, 2019, 11:50:32 PM
-
I just got a DCS 2670L camera. When configuring / testing the "Event Setup" I tried to setup email notification using TLS over port 587. I have a number of other DCS cameras configured using email over TLS/587 without problem. But for the 2670L I could not get it going. It looks like the initial authorization failed.
2019-08-28 07:59:22 xxxxxxxxxxxx sendmail[30683]: STARTTLS=server, relay=[192.168.42.204], version=TLSv1, verify=NOT, cipher=ECDHE-RSA-AES256-SHA, bits=256/25
2019-08-28 07:59:22 xxxxxxxxxxxx sendmail[30683]: x7S5xGVg030683: [192.168.42.204] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
I have used the same mailserver and account for other cameras without any problem. Using plain port 25 without TLS was a workaround for me. With the camera and mailserver on the same closed network I believe it's acceptable
I discovered that the "Network storage" server alternative has been remove. This alternative has been around for many of the cameras for a long time. This was a bit of disappointment. The FTP alternative was alternative for me (but not the preferred one).
I'm are running the latest firmware 2.01.10
Are you aware of any issues using mail tls/587 notification?
Why was the Network Storage server option removed?
Is D-Link long term direction to remove the the WEB UI for their cameras?
IF so I can understand the rationality but IMHO the mylink has a long, long way to go before I would find it appealing and functionally worthy and overall worthy.
-
Hello, I have the same firmware and I use TLS on port 587 to send emails. I have no problems, it works very well.
For network storage I was also surprised and I do in ftp.
Sincerely
Pascal
-
I'm glad that someone have it working. It gives me hope I will give it a more in depth try. I have six 2132L cameras using mail notification and the same mail server and account without any issues. I was quite convinced I had the new 2670L setup in the same way. Maybe I have not :o
Btw what mail server and version of the server are you using?
What openssl version are you using?
I'm on sendmail 8.15.2 and openssl 1.1.1b
best regards,
PoBe
-
Hmm still unsuccessful to get it working. The difference between the camera working and the one not working is:
Working camera
- Remote and comes in via a router
- Use cipher DHE-RSA-AES256-SHA
Non Working Camera
- Is a node on the local LAN (and is relayed via the router on the LAN
- Using cipher ECDHE_RSA_AES256-SHA
Both ciphers appers for TLSv1 when listing the ciphers in openSSL. In sendmail I have not specified any ciphers so I assume that it will use what openSSL has.
Looking at more verbose senmail logs. It looks like the failing camera does not even got to the authorization phase. The last logging is
2019-08-29 19:27:54 xxxxxxxxxx sendmail[2923]: STARTTLS=server, cert-subject=, cert-issuer=, verifymsg=ok
2019-08-29 19:27:54 xxxxxxxxxx sendmail[2923]: AUTH: available mech=GSS-SPNEGO GSSAPI LOGIN PLAIN, allowed mech=EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
2019-08-29 19:27:54 xxxxxxxxxx sendmail[2923]: STARTTLS=read, info: fds=7/4, err=2
2019-08-29 19:27:54 xxxxxxxxxx sendmail[2923]: x7THRl8S002923: <-- QUIT
The verbose sendmail logs for a failing connection and a successfull connection are found via the URL below.
https://www.dropbox.com/sh/9wf8cmk7jyoqjvc/AAB8jmSU3UYPa-P5JcDi5i7ca?dl=0 (https://www.dropbox.com/sh/9wf8cmk7jyoqjvc/AAB8jmSU3UYPa-P5JcDi5i7ca?dl=0)
-
Hello, unfortunately I don't have the same computer knowledge as you do.
What I meant, in the hope that it will help you is my configuration of the mail event.
Sender's e-mail address xxxx@gmx.fr
Recipient's email address xxxx@gmail.com
Address of the mail server.gmx.com
User name xxxx@gmx.fr
Password °°°°°°°°°°°°°°°°°°
Port 587
checked "This server requires a secure connection (StartTLS)"
Sincerely
-
Thanks, for me it looks like the camera terminates/quit the TLS session before the authentication. Everything looks ok in the mail server log. Unfortunately the logging in the camera is very sparse so it's not possible to tell why the camera quit the session.
Below you will see the fail interaction
2019-08-30 08:08:08 xxxxxxxxx sendmail[18794]: STARTTLS=server, relay=[192.168.42.204], version=TLSv1, verify=NOT, cipher=ECDHE-RSA-AES256-SHA, bits=256/256
2019-08-30 08:08:08 xxxxxxxxx sendmail[18794]: STARTTLS=server, cert-subject=, cert-issuer=, verifymsg=ok
2019-08-30 08:08:08 xxxxxxxxx sendmail[18794]: AUTH: available mech=GSS-SPNEGO GSSAPI LOGIN PLAIN, allowed mech=EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
2019-08-30 08:08:08 xxxxxxxxx sendmail[18794]: STARTTLS=read, info: fds=7/4, err=2
2019-08-30 08:08:08 xxxxxxxxx sendmail[18794]: x7U681bh018794: <-- QUIT
2019-08-30 08:08:08 xxxxxxxxx sendmail[18794]: x7U681bh018794: --- 221 2.0.0 xxxxxxxxx.com closing connection
This is how it looks from a camera that works
2019-08-29 19:36:01 xxxxxxxxxx sendmail[3431]: x7THZuRj003431: --- 220 2.0.0 Ready to start TLS
2019-08-29 19:36:04 xxxxxxxxxx sendmail[3431]: STARTTLS=server, get_verify: 0 get_peer: 0x0
2019-08-29 19:36:04 xxxxxxxxxx sendmail[3431]: STARTTLS=server, relay=nn-nnn-nnn-nn.foobar.frotz.net [nn.nnn.nnn.nn], version=TLSv1, verify=NOT, cipher=DHE-RSA-AES256-SHA, bits=256/256
2019-08-29 19:36:04 xxxxxxxxxx sendmail[3431]: STARTTLS=server, cert-subject=, cert-issuer=, verifymsg=ok
2019-08-29 19:36:04 xxxxxxxxxx sendmail[3431]: AUTH: available mech=GSS-SPNEGO GSSAPI LOGIN PLAIN, allowed mech=EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
2019-08-29 19:36:04 xxxxxxxxxx sendmail[3431]: STARTTLS=read, info: fds=7/4, err=2
2019-08-29 19:36:04 xxxxxxxxxx sendmail[3431]: x7THZuRj003431: <-- EHLO smtp.txt
2019-08-29 19:36:04 xxxxxxxxxx sendmail[3431]: x7THZuRk003431: milter=greylist, action=helo, continue
2019-08-29 19:36:04 xxxxxxxxxx sendmail[3431]: x7THZuRj003431: <-- EHLO smtp.txt
-
When running a TCP trace on the sessions that work and does not work I can see that the key exchange and TLS session is established in both cases. In the session that fails the client sends one application message and the mail server responds with one application message before the mail server send an Encrypt alerts.
From tracing an uncrypted session I can see that the first application message from the client is a "MAIL FROM:..." The server would then respond with a "250 2.1.0 <sender> ... Sender ok.
So when running the 2670L over port 25 unencrypted mail notification works.
When using port 587 and TLS is does not work.
Using testing with a 2230L against the same mailserver and and mailaccount port 587 and TLS works.
The only difference between the two cameras as I can see is that the 2670L uses the cipher ECDHE-RSA-AES256-SHA while the 2230L is using DHE-RSA-AES256-SHA.
But since the trace indicates that the establishment of the TLS session is ok i both cases I wounder if that has any relevans? However the mailserver respons to the Client Key Exchange message says "Change Cipher Spec" was the cipher then changed to something else? Have both the same capabilities to deal with any new cipher (if it was changed)?
Here is the summary trace for the working 2230L camera
No. Time Source Destination Protocol Length Info
42 3.611963 192.168.42.201 192.168.42.11 TCP 74 2521 → 587 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=823973818 TSecr=0 WS=2
43 3.611998 192.168.42.11 192.168.42.201 TCP 74 587 → 2521 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=2099072690 TSecr=823973818 WS=128
44 3.614888 192.168.42.201 192.168.42.11 TCP 66 2521 → 587 [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSval=823973819 TSecr=2099072690
81 8.627260 192.168.42.11 192.168.42.201 SMTP 147 S: 220 xxxxxxxx.com ESMTP Sendmail 8.15.2/8.15.2; Fri, 30 Aug 2019 17:22:41 +0200
82 8.629172 192.168.42.201 192.168.42.11 TCP 66 2521 → 587 [ACK] Seq=1 Ack=82 Win=5840 Len=0 TSval=823974321 TSecr=2099077705
83 8.630065 192.168.42.201 192.168.42.11 SMTP 81 C: EHLO smtp.txt
84 8.630083 192.168.42.11 192.168.42.201 TCP 66 587 → 2521 [ACK] Seq=82 Ack=16 Win=65280 Len=0 TSval=2099077708 TSecr=823974321
85 8.630426 192.168.42.11 192.168.42.201 SMTP 259 S: 250-xxxxxxxx.com Hello [192.168.42.201], pleased to meet you | 250-ENHANCEDSTATUSCODES | 250-PIPELINING | 250-8BITMIME | 250-
SIZE | 250-DSN | 250-AUTH GSSAPI | 250-STARTTLS | 250-DELIVERBY | 250 HELP
86 8.633950 192.168.42.201 192.168.42.11 SMTP 76 C: STARTTLS
87 8.633980 192.168.42.11 192.168.42.201 TCP 66 587 → 2521 [ACK] Seq=275 Ack=26 Win=65280 Len=0 TSval=2099077712 TSecr=823974321
88 8.634146 192.168.42.11 192.168.42.201 SMTP 96 S: 220 2.0.0 Ready to start TLS
89 8.648925 192.168.42.201 192.168.42.11 TLSv1 160 Client Hello
90 8.648951 192.168.42.11 192.168.42.201 TCP 66 587 → 2521 [ACK] Seq=305 Ack=120 Win=65280 Len=0 TSval=2099077727 TSecr=823974323
91 8.663513 192.168.42.11 192.168.42.201 TLSv1 1915 Server Hello, Certificate, Server Key Exchange, Server Hello Done
92 8.668453 192.168.42.201 192.168.42.11 TCP 66 2521 → 587 [ACK] Seq=120 Ack=2154 Win=12704 Len=0 TSval=823974325 TSecr=2099077742
104 11.032361 192.168.42.201 192.168.42.11 TLSv1 392 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
105 11.045152 192.168.42.11 192.168.42.201 TLSv1 300 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message
106 11.054332 192.168.42.201 192.168.42.11 TLSv1 156 Application Data, Application Data
107 11.054876 192.168.42.11 192.168.42.201 TLSv1 295 Application Data
108 11.064731 192.168.42.201 192.168.42.11 TLSv1 156 Application Data, Application Data
109 11.064878 192.168.42.11 192.168.42.201 TLSv1 119 Application Data
110 11.068627 192.168.42.201 192.168.42.11 TLSv1 156 Application Data, Application Data
111 11.068758 192.168.42.11 192.168.42.201 TLSv1 119 Application Data
112 11.072400 192.168.42.201 192.168.42.11 TLSv1 156 Application Data, Application Data
Here is the summary trace for the failing 2670L camera
53 7.073430 192.168.42.204 192.168.42.11 TCP 74 48126 → 587 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=2304233 TSecr=0 WS=16
54 7.073464 192.168.42.11 192.168.42.204 TCP 74 587 → 48126 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=2656197614 TSecr=2304233 WS=128
55 7.074196 192.168.42.204 192.168.42.11 TCP 66 48126 → 587 [ACK] Seq=1 Ack=1 Win=14608 Len=0 TSval=2304233 TSecr=2656197614
116 12.086100 192.168.42.11 192.168.42.204 SMTP 147 S: 220 xxxxxxxx.com ESMTP Sendmail 8.15.2/8.15.2; Fri, 30 Aug 2019 16:33:14 +0200
117 12.086494 192.168.42.204 192.168.42.11 TCP 66 48126 → 587 [ACK] Seq=1 Ack=82 Win=14608 Len=0 TSval=2304735 TSecr=2656202627
118 12.087191 192.168.42.204 192.168.42.11 SMTP 80 C: EHLO cam60CE
119 12.087208 192.168.42.11 192.168.42.204 TCP 66 587 → 48126 [ACK] Seq=82 Ack=15 Win=65280 Len=0 TSval=2656202628 TSecr=2304735
120 12.087456 192.168.42.11 192.168.42.204 SMTP 259 S: 250-xxxxxxxx.com Hello [192.168.42.204], pleased to meet you | 250-ENHANCEDSTATUSCODES | 250-PIPELINING | 250-8BITMIME | 250-
SIZE | 250-DSN | 250-AUTH GSSAPI | 250-STARTTLS | 250-DELIVERBY | 250 HELP
121 12.125878 192.168.42.204 192.168.42.11 TCP 66 48126 → 587 [ACK] Seq=15 Ack=275 Win=15680 Len=0 TSval=2304739 TSecr=2656202628
133 14.349266 192.168.42.204 192.168.42.11 SMTP 76 C: STARTTLS
134 14.349296 192.168.42.11 192.168.42.204 TCP 66 587 → 48126 [ACK] Seq=275 Ack=25 Win=65280 Len=0 TSval=2656204890 TSecr=2304961
135 14.349477 192.168.42.11 192.168.42.204 SMTP 96 S: 220 2.0.0 Ready to start TLS
136 14.349831 192.168.42.204 192.168.42.11 TCP 66 48126 → 587 [ACK] Seq=25 Ack=305 Win=15680 Len=0 TSval=2304961 TSecr=2656204890
137 14.352414 192.168.42.204 192.168.42.11 TLSv1 265 Client Hello
138 14.352432 192.168.42.11 192.168.42.204 TCP 66 587 → 48126 [ACK] Seq=305 Ack=224 Win=65152 Len=0 TSval=2656204893 TSecr=2304961
139 14.358705 192.168.42.11 192.168.42.204 TLSv1 1473 Server Hello, Certificate, Server Key Exchange, Server Hello Done
140 14.395908 192.168.42.204 192.168.42.11 TCP 66 48126 → 587 [ACK] Seq=224 Ack=1712 Win=18576 Len=0 TSval=2304966 TSecr=2656204900
143 14.642190 192.168.42.204 192.168.42.11 TLSv1 200 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
144 14.643057 192.168.42.11 192.168.42.204 TLSv1 300 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message
145 14.643728 192.168.42.204 192.168.42.11 TCP 66 48126 → 587 [ACK] Seq=358 Ack=1946 Win=21392 Len=0 TSval=2304990 TSecr=2656205184
146 14.688089 192.168.42.204 192.168.42.11 TLSv1 140 Application Data, Application Data
147 14.688269 192.168.42.11 192.168.42.204 TLSv1 151 Application Data
148 14.688331 192.168.42.11 192.168.42.204 TLSv1 103 Encrypted Alert
149 14.688885 192.168.42.204 192.168.42.11 TCP 66 48126 → 587 [ACK] Seq=432 Ack=2031 Win=21392 Len=0 TSval=2304995 TSecr=2656205229
154 14.698373 192.168.42.204 192.168.42.11 TLSv1 103 Encrypted Alert
155 14.698406 192.168.42.11 192.168.42.204 TCP 54 587 → 48126 [RST] Seq=2069 Win=0 Len=0
-
looks like the email / TLS issue is being resolved in the 2.02.06 release.
-
Thanks for letting us know. ;)