germancoding / roundcube_tls_icon Goto Github PK

I have on the same system RoundCube and Mailing list manager. When an email for me enters the system, the top-second Received: header contains information about how the email entered the system. When the email is first sent from outside to the mailing list manager and then to me, the top-second Received: header contains information about how the mailing list manager transmitted the email to the LDA. Example:

Received: from mail.aegee.org ([unix socket])
         by mail.aegee.org (Cyrus 3.4.4) with LMTPA;
         Mon, 19 Dec 2022 08:44:21 +0000
Received: from mail (localhost [127.0.0.1])
        by mail.aegee.org (8.17.1/8.17.1) with ESMTP id 2BJ8iFIV2112641;
        Mon, 19 Dec 2022 08:44:19 GMT
Received: by LISTS.AEGEE.ORG (LISTSERV-TCP/IP release 17.0) with spool id
          16690518 for [email protected]; Mon, 19 Dec 2022 08:44:15
          +0000
Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com
          [209.85.214.170]) by mail.aegee.org (8.17.1/8.17.1) with ESMTPS id
          2BEIoBw93590222 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384
          bits=256 verify=OK) for <[email protected]>; Wed, 14 Dec
          2022 18:50:12 GMT
Received: by mail-pl1-f170.google.com with SMTP id x2so2978273plb.13 for
 <[email protected]>; Wed, 14 Dec 2022 10:50:12 -0800 (PST)

Relevant in this case is the fourth header from top, since it contains information whether the email entered the system in a secure manner (TLS).

Provided that Received headers have tho form from X (Y [1.2.3.4]) by Z, where X and Y are likely the EHLO-greeting / invers PTR IP-lookup, tls_icon shall detect the header that was first inserted, when the email entered the system and look in it for STARTTLS-signs.

Instead of the property $config['tls_icon_ignore_hops'] = …; there shall be another property with known hosts as strings for the system and the first header (the one closest to the end of the email), which is to the current system, but not from the current system, shall be checked for STARTTLS-information.

Reading the code:

it should be uses the first Received-Header

Do you agree ?

Here come headers inserted by sendmail. I show the two uppermost received headers, only the second one is relative:

Received: from mail.aegee.org ([unix socket])	 by mail.aegee.org (Cyrus 3.4.4) with LMTPA;	 Sun, 18 Dec 2022 07:03:24 +0000
Received: from 69-171-232-143.mail-mail.facebook.com (69-171-232-143.mail-mail.facebook.com [69.171.232.143])	by mail.aegee.org (8.17.1/8.17.1) with ESMTPS id 2BI73F8b1489360	(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO)	for <my@address>; Sun, 18 Dec 2022 07:03:16 GMT

verify=NO means that the sending server has not volunarily presented a certificate. Another example with verify=OK

Received: from mail.aegee.org ([unix socket])	 by mail.aegee.org (Cyrus 3.4.4) with LMTPA;	 Fri, 16 Dec 2022 22:41:09 +0000
Received: from smtp.github.com (out-18.smtp.github.com [192.30.252.201])	by mail.aegee.org (8.17.1/8.17.1) with ESMTPS id 2BGMf4uY685293	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK)	for <my@address>; Fri, 16 Dec 2022 22:41:05 GMT

Please add parsing for sendmail-generated Received: headers and possibly add an option whether only postfix or only sendmail generated headers shall be handled (if this option would make things faster).

Originally posted by @dilyanpalauzov in #4 (comment)

Received: from mail-oi1-f171.google.com (mail-oi1-f171.google.com [209.85.167.171])
    (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
    key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
    (No client certificate requested)
    by xxxx.xxxxx.wdes.eu (Postfix) with ESMTPS id 32C204606D
    for <[email protected]>; Wed, 6 Jul 2022 00:27:21 +0000 (UTC)

Do you want me to make a PR and fancy tests ?

I don't know if I've misconfigured the plugin (I'm not very comfortable with the configuration of Roundcube, Postfix, etc...) but of all my mails, none show that it uses an encrypted connection. I do have headers indicating that the mail uses a TLS protocol.

Here's an example:

Received: from damioski.de
    by h3005393.stratoserver.net with LMTP
    id yKsqAIpCn2QdDRkA5DZ6zQ
    (envelope-from <bounces+1849726-61f7-admin=damioski.de@mailserviceemailout1.namecheap.com>)
    for <[email protected]>; Fri, 30 Jun 2023 23:00:58 +0200
Received: from o7.mailservice.namecheap.com (o7.mailservice.namecheap.com [168.245.28.209])
    (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
    key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
    (No client certificate requested)
    by damioski.de (Postfix) with ESMTPS id 4536747A26BA
    for <[email protected]>; Fri, 30 Jun 2023 23:00:57 +0200 (CEST)

Configuration file:

$config['tls_icon_ignore_hops'] = 0;

Postfix TLS logging looks like this:

TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

And Sendmail like this:

TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO

These log messages, which we display in a HTML title attribute (tooltip), are not entirely self-explanatory. Users might have questions like:

• What does (256/256 bits) mean in Postfix (or Sendmail)?
• What does "cipher" mean?
• What about TLS protocol versions?
• What does Sendmail's verify flag mean?

It would be cool if we had a way to explain these things to users, without completly blowing up the tooltip. At the very least, we need HTML styling to use newlines and perhaps display the data in a more structured form. We could also link to a "help" page which covers these things (may be hosted on Roundcube instances, on a GitHub Wiki, or externally). This also requires some sort of HTML support within the tooltips.

We first need to decide on if and how we want to tackle this and how an implementation could look like. For example, if we wanted to style a custom popup, how do we integrate this with Roundcube themes?

In setup with amavisd-new the first Received header does not contain information about TLS , just information about local amavis-postfix connection, for example, here is chronological extract of Received headers from one email:

Received: from localhost (unknown [127.0.0.1])
by localhost.sk (Postfix) with ESMTP id 120FE21170
for [email protected]; Sat, 27 Feb 2021 22:57:57 +0000 (UTC)
Received: from localhost.sk ([127.0.0.1])
by localhost (localhost.sk [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id LPlRL9aYu1cL for [email protected];
Sat, 27 Feb 2021 23:57:55 +0100 (CET)
Received: from mx1.slc.paypal.com (mx2.slc.paypal.com [173.0.84.227])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by localhost.sk (Postfix) with ESMTPS id 9EF9B20AA9
for [email protected]; Sat, 27 Feb 2021 23:57:54 +0100 (CET)

Please would it be possible to iterate over the Received headers and pick only the last one (which is actually describing real incoming connection, including relevant TLS info)?

Thanks!

I have PHP 8.1.16, Roundcube 1.16.1. and Roundcube_TLS_Icon 1.3.0.

If the function storage_init($p) has this body:

        public function storage_init($p)
        {
                $headers = isset($p['fetch_headers']) ? $p['fetch_headers'] : '';
                $p['fetch_headers'] = trim($headers) . ' ' . strtoupper('Received');
                return $p;
        }

then the list of messages (in INBOX) does not load. When I change to

        public function storage_init($p)
        {
                $p['fetch_headers'] = trim(($p['fetch_headers']?? '') . ' ' . strtoupper('Received'));
                return $p;
        }

the list of messages is displayed. As far as I can see, in the first implementation, $p['fetch_headers'] is set to RECEIVED with a leading space, in the latter function body $p['fetch_headers'] is set to RECEIVED.

Defect introduced by 973b91b .