SMTPSecureSocket encrypted transfer?


I currently have the problem that for unencrypted SMTP the hotel seems to redirect it to some proxy and filter/reject mails!

I see with CURL I can go encrypted to my real server and not get through the hotel smtp proxy.

But as far as I try with SMTPSecureSocket in my application, it seems to always send plain text!

Did someone get it send encrypted and can tell me the configuration?

my configuration:

[code] s.Secure = true
s.Port = 587
s.Address = server
s.Username = accountName
s.Password = password

s.Address = “”
s.CertificateFile = SpecialFolder.Preferences.Child(“”)
s.ConnectionType = s.TLSv12

s.Secure = true
s.SMTPConnectionMode = SMTPSecureSocket.ModeSTARTTLS

I clearly only want encrypted transfer and never unencrypted. And if the certificate does not match mine, I want an error and not fall back to plain text.

PS: Or do I have to use my plugin to get it secure?

I overwrote write method to stop it in case it authenticates without security:

[code]Sub write(Data As String)
if data.left(4) = “AUTH” and not me.Secure then
end if

super.Write data
End Sub[/code]

No one?
I just switched an app to use MBS CURL Plugin.

Code is like this with CURL Plugin:

[code] dim email as new CURLEmailMBS
email.SetFrom “test@test.test”, “Christian Schmitz”
email.AddBCC “test@test.test”, “Christian Schmitz”
for each emailText as string in emails
email.AddTo emailText, AnName.Text

email.SMTPUsername = c.Username
email.SMTPServer = c.Address
email.SMTPPassword = c.Password
email.Subject = Betreff.Text
email.PlainText = ConvertEncoding(Inhalt.Text, encodings.UTF8)

gotServerError = false

curl = new CURLSMBS

if curl.SetupEmail(email) then
// ok

dim ee as integer = curl.Lasterror
Break // problem?
end if

curl.OptionPort = c.Port
curl.OptionSSLVerifyHost = 2
curl.OptionSSLVerifyPeer = 1
curl.OptionCAInfo = c.CertificateFile.NativePath
curl.YieldTime = true
curl.OptionVerbose = true
curl.CollectOutputData = true
curl.CollectDebugData = true
curl.OptionFTPSSL = curl.kFTPSSL_ALL
curl.OptionSSLVersion = curl.kSSLVersionTLSv12

// curl.Perform follows…

This does uses TLSv1.2 / DHE-RSA-AES256-GCM-SHA384 for me.
And it accepts only the right certificates and not a fake one based on some other root certificate.

see also Feedback case 39516.


I’d really like Xojo to respond to this.

Btw I would recommend you change the title to “Transfers with SMTPSecureSocket NOT encrypted!”

Looks like SMTPSecureSocket is falling back to insecure if it doesn’t get a certificate, when it should abort with an error.

I’ve seen many hotel WiFi systems divert email on port 25 to an internal server that masquerades the mail server, then forwards the email.

I found out by accident only because I have SPF set up for my mail server and the hotel’s IP got bounced as ‘not authorized to send email for this domain’

I immediately set up my server with a certificate and set Thunderbird and such to ONLY connect via Secure on port 495 for outgoing mail.

This is really scary!

I’m more scared by the reaction of Xojo people. The bug case is not even reviewed, no reply and not much response in general.
Seems like nobody is using it?

hello? Xojo anyone?

YES! hello? Xojo anyone?

The silence is deafening. Maybe we should post this question somewhere else?

Maybe the NSA won’t let them reply to it? :stuck_out_tongue_winking_eye:

In that case: Hello? NSA anyone?

The canary is dead.

Yeah, seems so. The Feedback case still is in “Needs review”.

I just assigned my top 1 feedback position to this case
If we want them to look at it, we probably should add it to our list of important stuff.
it’s now ranked 155th.
Before I assigned my points it wasn’t ranked.
Remember that feedback is the official support channel, and not this place

I made it my #1 feedback position too. Now Rank is now 55.

We should start working together on this type of stuff. We should all pick one thing that most of us need to push it to the top. Eventually all our problems would go away. :slight_smile:

Made it my #1 Case, too. Now Rank up to 36th.