Re: [twsocket] SSL enabling SMTPCLi
> thanks for your valuable information! > Some of it indicates, that it might indeed be easier than feared > after looking at the demo project. ;-) Or look at the code of my mail queue component, which validates chains using either a PEM bundle or the windows store, just borrow the code. I've just borrowed the code myself for a new ICS HTTP proxy component that will be in SVN in a week or so. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL enabling SMTPCLi
Hello Angus, thanks for your valuable information! Some of it indicates, that it might indeed be easier than feared after looking at the demo project. ;-) Best regards Markus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL enabling SMTPCLi
> I shortly looked at the mentioned sample. It contains some pem > files which seem to be certificates. Correct? > The seem to be different from the ones I already used for my > DataSnap rest server to SSL enable it. In general, SSL clients don't need certificates, rarely is it necessary for a client to prove their identity to a remote server, and almost never to a mail server. Client certificates are supported by ICS which is why the samples allow them, but I've never tested or used them. They are most likely to be used for high security applications such as SWIFT money transfers, etc. An SSL client should ideally check the SSL certificate it receives from the server, since it wants to know it's really issued to GMAIL and not someone impersonating GMAIL. To do that the client needs trusted root certificates, potentially several hundred since most countries have local authorities, which is a major maintenance burden for software vendors. ICS does include a file TrustedCABundle.pem in the samples directory you can distribute with your application and which includes the major root certificates. I created this by extracting roots from Windows Server. The unit OverbyteIcsSslX509Utils also includes a string constant sslRootCACertsBundle that contains 30 root certificates, which avoids distributing a separate file. Or you can check received certificates against the Windows certificate store, and avoid the root issue completely (OverbyteIcsMsVerify sample), although this is slightly slower. > Then there's the difference between StartTLS and the "normal" > method. Can the client automatically detect which one to use? If you use the SSL version of the component, STARTTLS is handled automatically. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL enabling SMTPCLi
Hello, I shortly looked at the mentioned sample. It contains some pem files which seem to be certificates. Correct? The seem to be different from the ones I already used for my DataSnap rest server to SSL enable it. And the other thing: if I initiate some SMTP connection using such certificates, will the server validate them agains some URL? if yes how? Or can I distribute generic certificates along with my application andn they should work? Then there's the difference between StartTLS and the "normal" method. Can the client automatically detect which one to use? I don't like the user requiring to set up so many parameters... that could go wrong :-( Regards Markus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL enabling SMTPCLi
> ___ > Von: Angus Robertson - Magenta Systems Ltd [an...@magsys.co.uk] > > > it's difficult nowdays to find an analogue phone port and a > > working modem ;-) > > And a working version of Windows, DUN is so rarely used now that > Microsoft seems to no longer test it themselves, and DUN no longer > works in Windows 10 version 1703, dial attempts just get a hardware > error. Good to know this! Thanks for sharing! Regards Markus Diese E-Mail und alle Anhänge sind vertraulich und nur für den Adressaten bestimmt. Sie können rechtlich geschützte Nachrichten enthalten und dürfen anderen Personen nicht offenbart werden. Im Falle von Fehlleitungen wird der Empfänger gebeten, den Absender umgehend zu unterrichten und diese E-Mail nebst Anhängen zu löschen. This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. They may contain legally privileged information, and may not be disclosed to anyone else. If you have received this e-mail in error, please notify the sender and delete all copies from your system. ebm-papst Mulfingen GmbH & Co. KG Sitz der Gesellschaft: Bachmühle 2, D-74673 Mulfingen Kommanditgesellschaft Sitz Mulfingen: Amtsgericht Stuttgart HRA 590344 Komplementär: Elektrobau Mulfingen GmbH, Sitz Mulfingen, Amtsgericht Stuttgart HRB 590142 Geschäftsführung: Stefan Brandl (Vorsitzender), Thomas Borst, Hans Peter Fuchs, Dr. Bruno Lindl, Thomas Wagner -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL enabling SMTPCLi
> it's difficult nowdays to find an analogue phone port and a > working modem ;-) And a working version of Windows, DUN is so rarely used now that Microsoft seems to no longer test it themselves, and DUN no longer works in Windows 10 version 1703, dial attempts just get a hardware error. So if Windows Update offers 1703 (released March 2017), ignore it if you use VPN, or modems, including 3G mobile modems that sometimes use DUN. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL enabling SMTPCLi
Hello Angus, thanks for your answer. It is a good starting point for me once I actually find the time to do the necessary changes (which is not now). As for sending issues: I already implemented the possibility to specify several e-mail servers in my application which will be tried in the specified order if one should not be reachable. That looks good enough for now. But rest assured: I use your component for using dial up networking, if specified by the user, since years already. I just don't know if any user actually uses it as the e-mail finctionality is only used by a subset of the user base. Back when implementing this I did test it, but at work it's difficult nowdays to find an analogue phone port and a working modem ;-) (back when testing it it first failed and after fixing some implementation bugs on my side I finally learned that the modem I had lent was defective as well ;-) So I lent a different one from IT department which worked ;-) ) Best regards Markus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] SSL enabling SMTPCLi
> Sending still works, but only for SMTP servers not requiring TLS. > What would I need to do to TLS enable this application? Look at the sample OverbyteIcsSslMailSnd, which is the SSL enabled version. Essentially, you change to use TSslSmtpCli which has extra events to handle the SSL handshaking events, and add an SslContext which controls the SSL negotiation. Or you could change it to use my Mail Queue Component, which already handles SSL, queues and retries email with multiple servers over 24 hours so it has a higher chance of being sent. https://www.magsys.co.uk/delphi/magics.asp > My application meanwhile provides some webservice as well using > the built in DataSnap technology of Delphi, which also means I > already distribute the 2 SSL DLLs required for this ICS always uses the latest OpenSSL 1.1.0 released a year ago, Indy is stuck with an older version that uses different file names, so you will have to distribute four DLLs with your application. ICS will use the older 1.0.2 versions as well, but I would not recommend it. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] SSL enabling SMTPCLi
Hello, I once wrote a Delphi application in D2007 sending e-mails via SMTPCli which got migrated to Berlin 10.1 meanwhile and thus ICS got upgraded to some 8.x version. Sending still works, but only for SMTP servers not requiring TLS. What would I need to do to TLS enable this application? There surely is some demo available for this, but I'd like to assess the amount of time/complexity this task might require. My application meanwhile provides some webservice as well using the built in DataSnap technology of Delphi, which also means I already distribute the 2 SSL DLLs required for this (I once updated them with newer versions from the fulgran server). Would TLS enabling SMTPCli interfere with those (by requiring some DLLs with the same name but differently compiled or something like this)? Greetings Markus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
