germancoding / roundcube_tls_icon Goto Github PK
View Code? Open in Web Editor NEWRoundcube plugin that displays a lock icon next to the subject line, showing the encryption state of an inbound mail
License: Other
Roundcube plugin that displays a lock icon next to the subject line, showing the encryption state of an inbound mail
License: Other
I have on the same system RoundCube and Mailing list manager. When an email for me enters the system, the top-second Received: header contains information about how the email entered the system. When the email is first sent from outside to the mailing list manager and then to me, the top-second Received: header contains information about how the mailing list manager transmitted the email to the LDA. Example:
Received: from mail.aegee.org ([unix socket])
by mail.aegee.org (Cyrus 3.4.4) with LMTPA;
Mon, 19 Dec 2022 08:44:21 +0000
Received: from mail (localhost [127.0.0.1])
by mail.aegee.org (8.17.1/8.17.1) with ESMTP id 2BJ8iFIV2112641;
Mon, 19 Dec 2022 08:44:19 GMT
Received: by LISTS.AEGEE.ORG (LISTSERV-TCP/IP release 17.0) with spool id
16690518 for [email protected]; Mon, 19 Dec 2022 08:44:15
+0000
Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com
[209.85.214.170]) by mail.aegee.org (8.17.1/8.17.1) with ESMTPS id
2BEIoBw93590222 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384
bits=256 verify=OK) for <[email protected]>; Wed, 14 Dec
2022 18:50:12 GMT
Received: by mail-pl1-f170.google.com with SMTP id x2so2978273plb.13 for
<[email protected]>; Wed, 14 Dec 2022 10:50:12 -0800 (PST)
Relevant in this case is the fourth header from top, since it contains information whether the email entered the system in a secure manner (TLS).
Provided that Received headers have tho form from X (Y [1.2.3.4]) by Z
, where X and Y are likely the EHLO-greeting / invers PTR IP-lookup, tls_icon
shall detect the header that was first inserted, when the email entered the system and look in it for STARTTLS-signs.
Instead of the property $config['tls_icon_ignore_hops'] = โฆ;
there shall be another property with known hosts as strings for the system and the first header (the one closest to the end of the email), which is to the current system, but not from the current system, shall be checked for STARTTLS-information.
Reading the code:
Roundcube_TLS_Icon/tls_icon.php
Line 34 in 4b1fb86
it should be uses the first Received-Header
Do you agree ?
Here come headers inserted by sendmail. I show the two uppermost received headers, only the second one is relative:
Received: from mail.aegee.org ([unix socket]) by mail.aegee.org (Cyrus 3.4.4) with LMTPA; Sun, 18 Dec 2022 07:03:24 +0000
Received: from 69-171-232-143.mail-mail.facebook.com (69-171-232-143.mail-mail.facebook.com [69.171.232.143]) by mail.aegee.org (8.17.1/8.17.1) with ESMTPS id 2BI73F8b1489360 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for <my@address>; Sun, 18 Dec 2022 07:03:16 GMT
verify=NO means that the sending server has not volunarily presented a certificate. Another example with verify=OK
Received: from mail.aegee.org ([unix socket]) by mail.aegee.org (Cyrus 3.4.4) with LMTPA; Fri, 16 Dec 2022 22:41:09 +0000
Received: from smtp.github.com (out-18.smtp.github.com [192.30.252.201]) by mail.aegee.org (8.17.1/8.17.1) with ESMTPS id 2BGMf4uY685293 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <my@address>; Fri, 16 Dec 2022 22:41:05 GMT
Please add parsing for sendmail-generated Received: headers and possibly add an option whether only postfix or only sendmail generated headers shall be handled (if this option would make things faster).
Originally posted by @dilyanpalauzov in #4 (comment)
Received: from mail-oi1-f171.google.com (mail-oi1-f171.google.com [209.85.167.171])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
(No client certificate requested)
by xxxx.xxxxx.wdes.eu (Postfix) with ESMTPS id 32C204606D
for <[email protected]>; Wed, 6 Jul 2022 00:27:21 +0000 (UTC)
Do you want me to make a PR and fancy tests ?
I don't know if I've misconfigured the plugin (I'm not very comfortable with the configuration of Roundcube, Postfix, etc...) but of all my mails, none show that it uses an encrypted connection. I do have headers indicating that the mail uses a TLS protocol.
Here's an example:
Received: from damioski.de
by h3005393.stratoserver.net with LMTP
id yKsqAIpCn2QdDRkA5DZ6zQ
(envelope-from <bounces+1849726-61f7-admin=damioski.de@mailserviceemailout1.namecheap.com>)
for <[email protected]>; Fri, 30 Jun 2023 23:00:58 +0200
Received: from o7.mailservice.namecheap.com (o7.mailservice.namecheap.com [168.245.28.209])
(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
(No client certificate requested)
by damioski.de (Postfix) with ESMTPS id 4536747A26BA
for <[email protected]>; Fri, 30 Jun 2023 23:00:57 +0200 (CEST)
Configuration file:
$config['tls_icon_ignore_hops'] = 0;
Postfix TLS logging looks like this:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
And Sendmail like this:
TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO
These log messages, which we display in a HTML title attribute (tooltip), are not entirely self-explanatory. Users might have questions like:
(256/256 bits)
mean in Postfix (or Sendmail)?verify
flag mean?It would be cool if we had a way to explain these things to users, without completly blowing up the tooltip. At the very least, we need HTML styling to use newlines and perhaps display the data in a more structured form. We could also link to a "help" page which covers these things (may be hosted on Roundcube instances, on a GitHub Wiki, or externally). This also requires some sort of HTML support within the tooltips.
We first need to decide on if and how we want to tackle this and how an implementation could look like. For example, if we wanted to style a custom popup, how do we integrate this with Roundcube themes?
In setup with amavisd-new the first Received header does not contain information about TLS , just information about local amavis-postfix connection, for example, here is chronological extract of Received headers from one email:
Received: from localhost (unknown [127.0.0.1])
by localhost.sk (Postfix) with ESMTP id 120FE21170
for [email protected]; Sat, 27 Feb 2021 22:57:57 +0000 (UTC)
Received: from localhost.sk ([127.0.0.1])
by localhost (localhost.sk [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id LPlRL9aYu1cL for [email protected];
Sat, 27 Feb 2021 23:57:55 +0100 (CET)
Received: from mx1.slc.paypal.com (mx2.slc.paypal.com [173.0.84.227])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by localhost.sk (Postfix) with ESMTPS id 9EF9B20AA9
for [email protected]; Sat, 27 Feb 2021 23:57:54 +0100 (CET)
Please would it be possible to iterate over the Received headers and pick only the last one (which is actually describing real incoming connection, including relevant TLS info)?
Thanks!
I have PHP 8.1.16, Roundcube 1.16.1. and Roundcube_TLS_Icon 1.3.0.
If the function storage_init($p) has this body:
public function storage_init($p)
{
$headers = isset($p['fetch_headers']) ? $p['fetch_headers'] : '';
$p['fetch_headers'] = trim($headers) . ' ' . strtoupper('Received');
return $p;
}
then the list of messages (in INBOX) does not load. When I change to
public function storage_init($p)
{
$p['fetch_headers'] = trim(($p['fetch_headers']?? '') . ' ' . strtoupper('Received'));
return $p;
}
the list of messages is displayed. As far as I can see, in the first implementation, $p['fetch_headers'] is set to RECEIVED
with a leading space, in the latter function body $p['fetch_headers'] is set to RECEIVED
.
Defect introduced by 973b91b .
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.