Reply

Re: Nighthawk WiFi Routers - Emailing logs still a problem

Gbytze
Aspirant

Nighthawk WiFi Routers - Emailing logs still a problem

I have never been able to get  this "basic" function to work.

I have been thru the forumns and tried everything .  even on the latest release

Firmware Version V1.0.3.26_1.1.18
Nighthawk X6 R8000  

 

Still nothing --   all I get is

[email failed] internet connection is dropped, Tuesday, Jan 03,2017 08:37:39

 

or

[email sent to: xxx@gmail.com] Tuesday, Jan 03,2017 08:38:30

 

but nothign artrives in my Gmail ..and yes I have check spam etc...

 

Sadly this one feature is my only negative about this router..  PLEASE Netgear -- FIX THIS! 

Message 1 of 24
FURRYe38
Guru

Re: Nighthawk WiFi Routers - Emailing logs still a problem

Have you tried a different email provider to see if it works? Google has security features that may be blocking device generated emails. Try NetTalk email, they are free.

Check security settings in Gmail.

 

I would get on the phone with NG and ask about this as well.


@Gbytze wrote:

I have never been able to get  this "basic" function to work.

I have been thru the forumns and tried everything .  even on the latest release

Firmware Version V1.0.3.26_1.1.18
Nighthawk X6 R8000  

 

Still nothing --   all I get is

[email failed] internet connection is dropped, Tuesday, Jan 03,2017 08:37:39

 

or

[email sent to: xxx@gmail.com] Tuesday, Jan 03,2017 08:38:30

 

but nothign artrives in my Gmail ..and yes I have check spam etc...

 

Sadly this one feature is my only negative about this router..  PLEASE Netgear -- FIX THIS! 


 

My Setup (Cable 1Gbps/50Mbps)>CAX80 v2.1.2.1(LAG Disabled)>RBK853 v4.6.3.16(AP) & RBK752 v4.6.5.14
Additional NG HW: C7800/CM1100/CM1200CM2000, Orbi CBK40, CBR750, RBK50(v22), SXR30(v110), R7000(v34), R7800(v84), R7960P(v82), EX7500/EX7700, XR450(v120) and WNHDE111
Message 2 of 24
Gbytze
Aspirant

Re: Nighthawk WiFi Routers - Emailing logs still a problem

Yes  I have tried gmail and direct to my ISP as well.   I have had two suport cases opened... sadly this was less than helpful--as they basically threw up thier hands and stated it was a mail problem and not thiers..  the typical finger pointing and lack of service.. should have went with ASUS

Message 3 of 24
FURRYe38
Guru

Re: Nighthawk WiFi Routers - Emailing logs still a problem

Not sure what else can be done then. This is something that needs to be handled by NG support.

 

I presume there maybe an issue with how the emails are being recieved by the email provider or sent by the router. I'm thinking something along the lines of either email relay isn't working security modes like TLS settings. Iv'e seen with with other devices and email providers.

 

Seen this? https://community.netgear.com/t5/Nighthawk-WiFi-Routers/emailing-logs/m-p/990026#M19234

My Setup (Cable 1Gbps/50Mbps)>CAX80 v2.1.2.1(LAG Disabled)>RBK853 v4.6.3.16(AP) & RBK752 v4.6.5.14
Additional NG HW: C7800/CM1100/CM1200CM2000, Orbi CBK40, CBR750, RBK50(v22), SXR30(v110), R7000(v34), R7800(v84), R7960P(v82), EX7500/EX7700, XR450(v120) and WNHDE111
Message 4 of 24
StephenB
Guru

Re: Nighthawk WiFi Routers - Emailing logs still a problem

Is the mail server set to smtp.gmail.com and the port set to 587?

My mail server requires authentication should be checked.

 

If that is not enough, then on the google side, try setting your security to turn off two-factor authentication and to allow less-secure apps. The latter setting isn't as bad as it sounds, it just means that the router is using your google username and password.

 

 

Message 5 of 24
Rialbo
Aspirant

Re: Nighthawk WiFi Routers - Emailing logs still a problem

My latest disappointment is to find the R7000 router will only email my ISP mail service using SMTP.mymailservice.com and Port 25. Also the send to and username emails need to match.

The problems are four, the fourth seemingly insurmountable:

1. My ISP does not accept port 25 and I can not justify changing mail systems to please Netgear

2. AOL and GMAIL do have Port 25 support, if you subscribe to their mail accounts, but .....

3. Both are sent by the R7000 in clear-text transmissions so any security esp. HIPAA are invalid

4. Netgear Support refuses so far to acknowledge that clear-text logs and inability to select the

    SMTP Secure ports of the consumer's mail systems is a security issue. Have spent two weeks back

    and forth trying to convince Support to escalate my case and eventually upgrade the firmware.

    Oddly Version 1.5.0.x.x.x in Release notes and Setups showed Port 587 selectable. The routers 

    I replaced with this R7000 ( WGR614s and WPN) were selectable to whatever the required port.

    If anyone has more knowledge of an easy to implement forwarding mechanism to send the router

    output on Port 25 to a Port 587 mail server .... be doing a great public service.

 

Rialbo 

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 6 of 24
IrvSp
Master

Re: Nighthawk WiFi Routers - Emailing logs still a problem


@Rialbo wrote:

My latest disappointment is to find the R7000 router will only email my ISP mail service using SMTP.mymailservice.com and Port 25. Also the send to and username emails need to match.

The problems are four, the fourth seemingly insurmountable:

1. My ISP does not accept port 25 and I can not justify changing mail systems to please Netgear

2. AOL and GMAIL do have Port 25 support, if you subscribe to their mail accounts, but .....

3. Both are sent by the R7000 in clear-text transmissions so any security esp. HIPAA are invalid

4. Netgear Support refuses so far to acknowledge that clear-text logs and inability to select the

    SMTP Secure ports of the consumer's mail systems is a security issue. Have spent two weeks back

    and forth trying to convince Support to escalate my case and eventually upgrade the firmware.

    Oddly Version 1.5.0.x.x.x in Release notes and Setups showed Port 587 selectable. The routers 

    I replaced with this R7000 ( WGR614s and WPN) were selectable to whatever the required port.

    If anyone has more knowledge of an easy to implement forwarding mechanism to send the router

    output on Port 25 to a Port 587 mail server .... be doing a great public service.

 

Rialbo 


Not sure what your problem is, but I've got an R7000 and I can use 587??? See screen capture of my e-mail setting (when available):

Capture.JPG

All you need to do is enter 587 as the outgoing port and save it? I'm on 1.0.7.12 and have had this set for a LONG time on much older firmware versions.

 

Message 7 of 24
Rialbo
Aspirant

Re: Nighthawk WiFi Routers - Emailing logs still a problem

Many thanks for your posted reply. Using Charter.net for my other device-generated emails and my personal mail account requires Port 587 with username and password to enable message encryption.

 

Sending from the R7000 in your indicated manner as evidenced by use of my network sniffer shows the message and all handshaking packets in clear text and over Port 80 to Charter, not SMTP Port 587.

 

It is amazing what personal information can be gleaned from the snippets in the data stream by someone intercepting. If worried about the recent bill signing to allow ISPs to distribute browsing habits, every URL you visit and all unblocked ads, etc. are listed in those snippets.

 

The old routers I mentioned in my post encrypted, every one I've used before this R7000 and other brands that are still Port Selectable, perform the required encryption. I'm going to try an early firmware later today as I've mentioned the ver. 1.0.5.x.x.x release setup notes showed 587 with user and password enabled. This was now also suggested to me last night by Support Tier 2. Need to check  what subsequent releases have corrected before leaving it permanent. I know 1.0.7.x.x.x has QOS enhancements which can be pertinent.

 

Clear Text Intrusion Log Samples:

[Site blocked: dh.amcrestsecurity.com] from source 192.168.0.32, Saturday, Apr 08,2017 23:32:42

[Site blocked: s7.addthis.com] from source 192.168.0.29, Saturday, Apr 08,2017 16:53:49

[Site blocked: search.yahoo.com] from source 192.168.0.29, Saturday, Apr 08,2017 17:22:11

 

Rialbo

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 8 of 24
IrvSp
Master

Re: Nighthawk WiFi Routers - Emailing logs still a problem

@Rialbo, I understand what you mean and why? When I was testing a port of an e-mail client from one OS to another I too captured packets and looked at them. I was AMAZED to see not only the main text in the clear, but the UID and P/W for accessing the server. I talked to the developers and the reason was that the server first of all didn't know who you were to allow access and then if it was encrypted they wouldn't know how so they couldn't decrypt it. Made sense to me. Think about this for a minute. If it was standard encryption and the same for ALL transmissions from everyone, then if they were all would be the same using the same key. If the key were known then anyone could decrypt the message they captured. Port 587 alone is NOT enough. TLS would be required, and that also requires your UserID and P/W to use. Still, those would be passed in clear text to the SMTP server as well.

 

Now I have Charter too, but I'm on Brighthouse that they acquired. Brighthouse (and I suspect Charter) used the 2 SMTP ports, 25 and 587 quite differently then what you seem to think. They allow both 25 and 587 when on their network. Both are usable without your UserID and P/W as you ARE on 'them'. However, when OFF their network 587 must be used AND with the USERID and P/W to allow use of the SMTP server.

 

THIS IS HOW Brighthouse describes the proper settings for incoming and outgoing servers.

 

You will note on my screen capture I did NOT have my UID and P/W entered nor Authentication checked. That is because I'm on the BH network and do NOT need it.

 

I would check with Charter though first to ensure then you CAN send encrypted e-mail to SMTP (I'll assume you've done this though). I'd be interesed what the answer was too.

 

As for actually needing it, I am unsure why and IF I'd even bother? If someone can/would capture your router packets, they'd be able to determine everything that was in that log anyway? Only thing they couldn't get from packets would be the internal information the router enters into the log such as connections from LAN devices or rejected connection attempts probably?

 

By the way, even my e-mail client, Thunderbird is set the same way, and it has NO security.

 

I also searched Spectrums Support page for 'how to encrypt email' and there was no matching entries in 97 choices (all contained email, not encryption). If I searched for 'encryption' alone, 9 choices, most having to do with your private network.

 

Are you sure Charter can handle encrypted mail at all?

 

I happened to check support for email AT CHARTER.NET which is changed to SPECTRUM.NET. Interesting info:

 

Desktop-Only Email Settings

To ensure the best connection when configuring your Spectrum email account, we recommend using the settings below. These settings are required when setting up your email on a desktop computer only.

Note: Setting up a Spectrum Email account on a laptop, smartphone, PDA, tablet, eReader, etc., requires different settings. Learn more.

User Information Enter Settings Below Server Information Sign In Information More Settings

Your Name:Enter Your Name
Email Address:YourEmail@charter.net
Account Type: POP/IMAPIMAP
Incoming Email Server:IMAP.charter.net
Outgoing Email Server:SMTP.charter.net
User Name:YourUsername@charter.net
Password:The password you use to sign in to your email account
Outgoing Server settings tab:
  • Select the My outgoing server (SMTP) requires authentication option.
  • Select the Use same settings as my incoming mail server option.
Advanced settings tab:
  • Incoming server (IMAP) field: enter 143
  • Outgoing server (SMTP) field: enter 25
  • Select None for Use the following types of encrypted connections settings

 

They don't even LIST 587? Maybe that is why you can't enter it?

 

However the MOBILE settings (top of the link I referenced) does require 587... Does NOT mention encryption at all.

 

This is basically identical to what Brighthouse requires. Essentially the main difference on BH and I suspect Charter is the required use of UID and P/W when NOT on their network, has nothing to do with encryption on 587 but the fact that port 587 can authorize access with the correct UID and P/W.

Message 9 of 24
Rialbo
Aspirant

Re: Nighthawk WiFi Routers - Emailing logs still a problem

IrvSp,

Thank you for the followup post. The issue still appears to be the router inability to send via 587 encrypted and the sniffer, even with Firmware version 1.0.5_x.x.x the same result of clear text without using the Username / Password. The sniffer shows outbound Port 80. If I try with Username / Password on 587, the connection is refused by Charter / Spectrum, also with 465. Port 25 does go without the IDs. in clear text.

 

I also ran the sniffer using my Amcrest Camera mailing to Charter and personal private email as well which use the SMTP on Port 587 and the transmissions are pure gibberish from the device or mail client, through the inside network  x.x.0.1 until I see the email unencrypted in my Inbox.

 

Again, their earlier routers (WGR614v6, v7) were fine sending SMTP 587 encrypted and sniffer showed Port 587 as the outbound and no discernable text including headers.

 

I just want that capability back and I'm sure if Netgear wanted to they could copy the Js elements of one of those and splice it in, even if they had to leave out some of the other consumer least-used functions and features and menus to make room in the memory.  Still hoping for that scenario or that

Charter will do encrypted TLS. Frankly for most purposes except to thwart avid hackers sniffing of the general public's traffic, SSL was far better than open access as is now.

 

Encrypted 587 to Charter.jpg

 

Working on an internal mail server / forwarder to send the router mail to which will in turn send it via my mail client on 587.  Any ideas would be carefully considered and appreciated.

 

Richard

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 10 of 24
IrvSp
Master

Re: Nighthawk WiFi Routers - Emailing logs still a problem

Richard,

 


@Rialbo wrote:

IrvSp,

Thank you for the followup post. The issue still appears to be the router inability to send via 587 encrypted and the sniffer, even with Firmware version 1.0.5_x.x.x the same result of clear text without using the Username / Password. The sniffer shows outbound Port 80. If I try with Username / Password on 587, the connection is refused by Charter / Spectrum, also with 465. Port 25 does go without the IDs. in clear text.

 

I also ran the sniffer using my Amcrest Camera mailing to Charter and personal private email as well which use the SMTP on Port 587 and the transmissions are pure gibberish from the device or mail client, through the inside network  x.x.0.1 until I see the email unencrypted in my Inbox.

 


 

What 'sniffer' are you using? Are you saying the first TCP/IP packet shows Port 80 and you are expecting Port 587?

 

465 isn't really used as it wasn't adopted so that doesn't surprise me?

 

Does the camera go through the R7000?

 

Possible that NG doesn't get your Public Key and therefore can't do it?

Message 11 of 24
Rialbo
Aspirant

Re: Nighthawk WiFi Routers - Emailing logs still a problem

IrvSP,

The sniffer is Smart Sniff and if logged onto the on the same PC as the router as it is sending forth, all is captured.

All of the packets when sent without User / Password via 587 or 25 to whatever mail server go out Port 80 in plain text, wheras anything sent from within my local network via my mail client or directly by a device such as the cameras, show Port 587 and are encrypted.

I realize I am on the Charter network so risk is lessened using clear text, however being a Sr. Enginner in Enterprise Networks, that doesn't cut it if working from home and the router logs and sends in clear text, even if by chance, a URL or IP that I need to reach.

 

BTW ... the router is sending it's mail beyond the internal network so blocking (ex. HTTP 80) has no effect if tried as a test. Don't know who engineered this beast but if identity theft concerns you ... X

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 12 of 24
schumaku
Guru

Re: Nighthawk WiFi Routers - Emailing logs still a problem

Hi @Rialbo

 

Initially you started your demonstration on smtp.gmail.com:587 - and mentioned the email don't get delivered. Together with your observation of plain text password ... which should never go out on 587 before a STARTTLS and going through the TLS negotiation successfully. And - of course - Gmail does not accept any plain text AUTH attempts or the like...

 

220 smtp.gmail.com ESMTP q129sm13360284wmg.1 - gsmtp
HELO Kurt
250 smtp.gmail.com at your service
AUTH what.ever@gmail.com
530 5.7.0 Must issue a STARTTLS command first. q129sm13360284wmg.1 - gsmtp

Would be interesting to see if the R7000 - afraid have none with the Netgear stock forware accessible - does even issue a STARTTLS ... and then it would be fun to see what is coming back from the other side... Quickly captured the sSMTP (root@R9000:/# ssmtp -V ...sSMTP 2.64 (Not sendmail at all)) talking to smtp.gmail.com:587 here - just the high level view:

 

Netgear SSMTP STARTTLS.PNG

 

Two things can happen...

A) The R7000 does issue a STARTTLS ... but you are not talking to the Gmail SMTP server, but to some kind of anti-Spam-out proxy, and the R7000 code does fail for whatever interop/bug reason ... I've seen many variants over the years ... like not using a <cr><lf> - but using some <cr> or <lf> only ... or proxies / relays / ALGs not doing similar mistakes ... however this would be very unlikley on an ISP of this size.

...or...

B) The R7000 email client does simply not issue a STARTTLS ... either because the lack of a config or wrong defaults coded by Netgear.

In the "show original" view or checking the SMTP header we find ... (version=TLS1 cipher=AES128-SHA bits=128/128); ..confirming the TLSv1 application data we see on the captured data.

Return-Path: <[snip]@gmail.com>
Received: from R9000 ([IPsnip].cust.swisscom.ch. [<snip>])
        by smtp.gmail.com with ESMTPSA id [snip].49.2017.04.09.15.18.04
        for <[snip]@gmail.com>
        (version=TLS1 cipher=AES128-SHA bits=128/128);
        Sun, 09 Apr 2017 15:18:06 -0700 (PDT)
Message-ID: <[snip]@mx.google.com>
Received: by R9000 (sSMTP sendmail emulation); Mon, 10 Apr 2017 00:18:03 +0200
Date: Mon, 10 Apr 2017 00:18:03 +0200
Subject: NETGEAR R9000 Log
From: "root@R9000" <[snip]@gmail.com> To: [snip]@gmail.com [admin login] from source 192.168.1.2, Monday, April 10, 2017 00:16:42


Based on a similar report, it should not be difficult to reproduce the problem...

And I'm keen to see what does really happen 8-)

Can't imagine someone had the "bright" idea to fall-back to 80/TCP somehow - not aware thereare any ISP permitting email submission on this port.

 

And very last - we can't blame Netgear using plain text AUTH and password on the standard SMTP 25/TCP .. there is no encrypton on this port usually. And 25/TCP must no longer be usd for SMTP submission, too.

 

TIA,

-Kurt

Message 13 of 24
Rialbo
Aspirant

Re: Nighthawk WiFi Routers - Emailing logs still a problem

Best regards to all Community who are participating in this thread. The effect to be achieved here is not to change email providers, to return selectable ROUTER-GENERATED email log encryption or not by consumer's choice to Netgear products, restore personal identity security as it may apply to the log mail.

As email providers, ISPs have not yet standardized on SMTP / SSL / TLS port and security options, the consumer needs to be able to select the one their mail system allows as was provided in earlier Netgear products and other capable brands of current devices. Apologies for the shouting above .. hope a qualified-someone at Netgear will hear.

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 14 of 24
IrvSp
Master

Re: Nighthawk WiFi Routers - Emailing logs still a problem

@@schumaku, I can TELNET to my mail server on Port 587 and issue some commands. I get these results:

 

------------

220 Welcome to Road Runner. WARNING: *** FOR AUTHORIZED USE ONLY! ***
ehlo r7000
250-cdptpa-omsmta03 says EHLO to [snip]:6028
250-AUTH=LOGIN PLAIN
250-AUTH LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250 8BITMIME
AUTH LOGIN
334 VXNlcm5hbWU6
STARTTLS
334 UGFzc3dvcmQ6

------------

 

Now how can I tell exactly what the R7000 sends out with the log commands? Oviously my ISP can handle the encryption. One can tell that mail from the PC can/is encrypted too.

Message 15 of 24
schumaku
Guru

Re: Nighthawk WiFi Routers - Emailing logs still a problem


Hi again....

@Rialbo wrote:

The effect to be achieved here is not to change email providers, to return selectable ROUTER-GENERATED email log encryption or not by consumer's choice to Netgear products, restore personal identity security as it may apply to the log mail.

Encrypting the log file and using a secured transport is not really the same.

@Rialbo wrote:

As email providers, ISPs have not yet standardized on SMTP / SSL / TLS port and security options, the consumer needs to be able to select the one their mail system allows as was provided in earlier Netgear products and other capable brands of current devices. 


This does still not explain why your attempt to configure the router for submitting the log email to Gmail on port 587/TCP which is the SMTP submission port does fail.

It's perfectly fine that Netgear can assume that each ISP does support the SMTP submission port on 587/TCP as per RFC2476 and that it does support STARTLS as per RFC3207 some 15 years after it's settlement - with most ISPs this port is transparent to other message handlers - unless it's the ISPs own email platform.

Very different - due to massive abuse for Spam over decades, ISPs had to start filtering/proxying/capturing all connections on 25/TCP certainly for consumer and small business connectivity. It is correct that RFC3207 with STARTLS can be used for the intercommunication between MX handlers of course. But then, it should not be used to submit emails form end points at all. I've not checked if the ssmtp certainly in place on all Netgear routers in this class does check the capabilities of the receiver, and would use STARTTLS if it's offered. To pass this port capturing system, most ISP request an authentication for it's own user base - connecting direct to another ISP SMTP server on 25/TCP is virtually denied ie. you can't talk direct to the Google Gmail, Live.com, or whatever other MX server on 25/TCP. 

The pure SSL SMTP (smtps, implicit SSL) 465/TCP has never made it to any RFC and is obsolete - any existence is for pure legacy reasons only. While IANA had reserved the port, it was obsoleted in the last Century already.

 

Can't see anything we're asking the ISP to change.

In either case, there won't be an end-to-end encryption to fulfill your requirements. No common email provider has this. The leading secure email providers like ProtonMail, Keyon and some more of my old friends don't support M2M communication...

Using the SMTP submission port 587/TCP does implicit use STARTTLS if the submission server is permitting - so the transport channel can be considered secured.

Message 16 of 24
schumaku
Guru

Re: Nighthawk WiFi Routers - Emailing logs still a problem


@IrvSp wrote:

@@schumaku, I can TELNET to my mail server on Port 587 and issue some commands. I get these results:

 

------------

220 Welcome to Road Runner. WARNING: *** FOR AUTHORIZED USE ONLY! ***
ehlo r7000
250-cdptpa-omsmta03 says EHLO to [snip]:6028
250-AUTH=LOGIN PLAIN
250-AUTH LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-STARTTLS
...


Assuming the R7000 does use the similar code to the R9000 - ssmtp, a standard email sender for embedded systems - I would expect it will switch to TLS (the 250-information is not used). The server operator looks comparably lazy, most likely they don't want to get involved with to much customer service calls - it look likely they still continue to allow non-TLS. Reality check: This is on the ISPs own network only - so giving some trust into the infrastructure so there should not be to many MITM attacks possible.

Re-think the effective situation: On this level, the ISP could fake or capture or modify almost everything ... DNS returning other server IP addresses than the "real" one, even certificates are loosing the value, and capturing the (encrypted) traffic and decoding (on a fake infrastructure I have the private key...). That much about the level of trust we should have in the ISP ... and finally the government. And yes, sometimes we build honeypots - exposed ot th eInternet, or set-up on corporate networks to capture potential attacker, data thieves, connection attempts, to analyze, to learn, to find potential issues. 

@IrvSp wrote:

Now how can I tell exactly what the R7000 sends out with the log commands?

The most simple way is to check the full SMTP header of the email. In Gmail (Web UI) you use the "Show Original", in Outlook show header, ...

Here I've sent the log from the router through an email server not using TLS (for the sake of it, it's a test system and I've used port 25 - capturing the traffic has shown the ssmtp does not try STARTTLS on the port 25, even if the mail server would be able handling it): 

 

Received: from R9000 ([nn.nn.nn.nn]) by [host.name.domain] with SMTP
          for [snip@snip.snip]; Mon, 10 Apr 2017 19:29:37 +0200
Received: by R9000 (sSMTP sendmail emulation); Mon, 10 Apr 2017 19:29:36 +0200
Date: Mon, 10 Apr 2017 19:29:36 +0200
Subject: NETGEAR R9000 Log
From: "root@R9000" ...

Here I've sent the log from the router through an email server supporting STARTLS on the SMTP submission port (587/TCP) - and the system taking the message does add the (version=TLS1 cipher= ...)

 

Received: from R9000 (whatever.isp.domain.duh. [nn.nn.nn.nn])
        by smtp.whatever.domain with ESMTPSA id xxxxxxxxxxxxx.15.2017.03.29.16.40.12
        for <[snip@snip.snip]>
        (version=TLS1 cipher=AES128-SHA bits=128/128);
        Wed, 29 Mar 2017 16:40:14 -0700 (PDT)
Message-ID: <xxxxxxxx.xxxxxxx.xxxxx.xxx@mx.whatever.domain>
Received: by R9000 (sSMTP sendmail emulation); Thu, 30 Mar 2017 01:40:12 +0200
Date: Thu, 30 Mar 2017 01:40:12 +0200
Subject: NETGEAR R9000 Log
From: "root@R9000" ..


Alternate, the IT network infrastructure way would to capture the communication between the router and the network, the cable modem. Either it can be done on the router (the R9000 /debug.htm has an option to capture the data, don't know about the R7000 an other earlier Netgear routers), or it requires either an Ethernet tap or a partial managed swithc permitting to configure a mirror port, a PC and ie Wireshark to capture all data.  While it's not that complex, it requires some hardware, know-how and energy.

@IrvSp wrote:

Oviously my ISP can handle the encryption. One can tell that mail from the PC can/is encrypted too.

Again for completeness: This won't be an encrypted email. It's just about the SMTP traffic between the router or the PC will be in a TLSv1 tunnel so credentials and message content is not sent in plain text over the lines. On an intermediate system, everything will happen in plain text again.

 

I hope this does clarify things a little bit.

Message 17 of 24
IrvSp
Master

Re: Nighthawk WiFi Routers - Emailing logs still a problem

Kurt, thanks for the reply. I was 99.9% sure that I had to be on the output of the router to determine anything....

 

I do have my Header from the R7000 log that was sent today (no DEBUG.HTM on the R7000):

 

From - Mon Apr 10 10:19:40 2017
X-Account-Key: account3
X-UIDL: fdbf36c4-1ddc-11e7-b663-e7e7ec0f6eef
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                                 
X-MUNQ: f886ec3dda14e168b491a89bfc694be0
X-MSK: HYD=0.535471605
Return-Path: <myID.com>
Received: from cdptpa-pub-iedge-vip.email.rr.com ([107.14.174.244])
          by cdptpa-fep14.email.rr.com
          (InterMail vM.8.04.03.24 201-2389-100-172-20151028) with ESMTP
          id <20170410110104.JCCQ21396.cdptpa-fep14.email.rr.com@cdptpa-pub-iedge-vip.email.rr.com>
          for <myID.com>; Mon, 10 Apr 2017 11:01:04 +0000
Return-Path: <myID.com>
Authentication-Results:  cdptpa-imsmta02 x-tls.subject="/C=US/ST=PA/L=Coudersport/O=Time Warner Cable/OU=Mail Operations/CN=cdptpa-oedge/emailAddress=dl-hrn-mailops.twcable.com"; auth=fail (cipher=DHE-RSA-AES256-GCM-SHA384)
Received: from [107.14.174.240] ([107.14.174.240:50679] helo=cdptpa-oedge-vip.email.rr.com)
	by cdptpa-imsmta02 (envelope-from <myID.com>)
	(ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384
	subject="/C=US/ST=PA/L=Coudersport/O=Time Warner Cable/OU=Mail Operations/CN=cdptpa-oedge/emailAddress=dl-hrn-mailops.twcable.com") 
	id 35/DC-05251-FE56BE85; Mon, 10 Apr 2017 11:01:04 +0000
Received: from [myIP] ([myIP:41763] helo=R7000)
	by cdptpa-omsmta02 (envelope-from <myID.com>)
	(ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ESMTP
	id 58/29-16480-DE56BE85; Mon, 10 Apr 2017 11:01:01 +0000
DATE: 10 Apr 2017 07:01:00
Message-ID: <58.29.16480.DE56BE85@cdptpa-omsmta02>
FROM: <myID.com>
To: <myID.com>
Sender: root@R7000
Subject: NETGEAR R7000 Log [29:8F:3E]
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
X-Authority-Analysis: v=2.1 cv=fb9QsBkF c=1 sm=1 tr=0 a=pDOoDLtOQR4FWTtaF8EjVg==:117 a=luAv0Pyk2ki0A4ygHCUW9w==:17 a=L9H7d07YOLsA:10 a=9cW_t1CCXrUA:10 a=s5jvgZ67dGcA:10 a=KGjhK52YXX0A:10 a=kj9zAlcOel0A:10 a=AzvcPWV-tVgA:10 a=rdfAWrEvv-UA:10 a=ayC55rCoAAAA:8 a=pTK8ThLAnKSTrGNS78QA:9 a=bbo0cmQ7EgHB4Win:21 a=DMblzOVuTDPcCBQN:21 a=CjuIK1q_8ugA:10 a=8107quwI9BUA:10 a=B_RyunTPg8udlmYm5Cu2:22
X-Cloudmark-Score: 0
X-RR-Connecting-IP: 107.14.168.208:25

I can't tell much from the above, other than the paths that were followed. Not sure what "

auth=fail (cipher=DHE-RSA-AES256-GCM-SHA384)

means either? A problem?

 

The last line is piculiar too, that indicates (to me) port 25 was used?

 

Now I do have RoadRunner as my Internet provider by my ISP, Brighthouse using the TWC mail system. Both are now owened by Charter and called Spectrum. To my knowledge nothing has changed for years with respect to e-mail or Internet.

 

From my post on 2017-04-08 07:58 PM you can see the screenshot that I am using port 587.

 

So I guess this now becomes a question if the R7000 honors my setting of Port 587 or no matter what turns it into Port 25?

 

I just ran a little test to see if the R7000 even read the port setting for e-mail. I changed it from 587 to 87, applied it, and then sent the log. Got this a few seconds later in the log:

 

[email failed] fail to connect to outgoing mail server, Monday, Apr 10,2017 17:07:43

 

So it does read and use the supplied port...

 

 

 

 

Message 18 of 24
schumaku
Guru

Re: Nighthawk WiFi Routers - Emailing logs still a problem

Ok, forgot mentioning that you read these headers bottom up. This is the first relevant SMTP hop of the submission - no obvious proof for TLS usage I'm afraid:

 

Received: from [myIP] ([myIP:41763] helo=R7000)
	by cdptpa-omsmta02 (envelope-from <myID.com>)
	(ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ESMTP
	id 58/29-16480-DE56BE85; Mon, 10 Apr 2017 11:01:01 +0000
DATE: 10 Apr 2017 07:01:00
Message-ID: <58.29.16480.DE56BE85@cdptpa-omsmta02>
FROM: <myID.com>
To: <myID.com>
Sender: root@R7000

 

The ESMTP can point into the direction that the extended SMTP keywords like STARTTLS might be available. Afraid - despite of the complete information, thumbs up - it does not proof it was used for the first hop from the R7000 to the first MTA.

Let's look a little bit more into the further handling to the next MTA in the message deliver path.

A little bit harder is it to discover where the X-headers were added, ie, the 

X-RR-Connecting-IP: 107.14.168.208:25


Checking the PTR for the ip address shows this is cdptpa-imsmta02 ...

Name: cdptpa-imsmta02.email.rr.com
Address: 107.14.168.208

...the server in the next hop - after the server your router does talk to - so beyond of the router or user control. As I've tried to explain before, 25 is used between different email handlers, ie MTA (Message Transfer Agent), so here the usage of 25/TCP is correct.

A comment to the X-RR-Connecting-IP ... I bet in the original RR infrastructure, they add the effective client (the router public) IP address there. Here it is a little bit difference as this message was originating from another network, ie. a provider they took over.

Received: from [107.14.174.240] ([107.14.174.240:50679] helo=cdptpa-oedge-vip.email.rr.com)
	by cdptpa-imsmta02 (envelope-from <myID.com>)
	(ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384
	subject="/C=US/ST=PA/L=Coudersport/O=Time Warner Cable/OU=Mail Operations/CN=cdptpa-oedge/emailAddress=dl-hrn-mailops.twcable.com") 
	id 35/DC-05251-FE56BE85; Mon, 10 Apr 2017 11:01:04 +0000

...and it was received regardless of the authentication failure - again ways beyond of the router or user control - this is an internal issue in their email infrastructure:

Authentication-Results:  cdptpa-imsmta02 x-tls.subject="/C=US/ST=PA/L=Coudersport/O=Time Warner Cable/OU=Mail Operations/CN=cdptpa-oedge/emailAddress=dl-hrn-mailops.twcable.com"; auth=fail (cipher=DHE-RSA-AES256-GCM-SHA384)

 Nothing to worry - probably the price thy are paying for ongoing mergers, acquisitions, migrations, name changes, ... unrelated to the Netgear MUA (Message User Agent).

Message 19 of 24
IrvSp
Master

Re: Nighthawk WiFi Routers - Emailing logs still a problem

@schumaku, yes, I can't find the proof either?

 

Only 'small' possibility, although I do have port 587 checked, I do not supply my UserID and PW. From what I understand that is ONLY required when off the ISP's net which I am not. BTW, this ISP is a pain (I have triple play, net, tv, and phone). They have a TV app for mobile devices. I must sign-in with my ISP's account UID and PW to get that to work. Works fine at home, complete channel line-up available to me on my iPad. However ONCE I leave the house my channels are very limited, all based on my IP address. So they do know where 'I am' and one would think they know where the e-mails eminate from and know they were on the network...

 

Still, one has to wonder if this is a NG problem or not? Even then, if it is, I'm not sure of the seriousness of the problem?

 

I think I have a switch buried somewhere here. I guess if I was really interested I could insert it before the router and connect a PC to it? First problem is finding the switch, I don't recall seeing it in ages.

Message 20 of 24
IrvSp
Master

Re: Nighthawk WiFi Routers - Emailing logs still a problem


@schumaku wrote:


A comment to the X-RR-Connecting-IP ... I bet in the original RR infrastructure, they add the effective client (the router public) IP address there. Here it is a little bit difference as this message was originating from another network, ie. a provider they took over.

Received: from [107.14.174.240] ([107.14.174.240:50679] helo=cdptpa-oedge-vip.email.rr.com)
	by cdptpa-imsmta02 (envelope-from <myID.com>)
	(ecelerity 3.6.9.48312 r(Core:3.6.9.0)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384
	subject="/C=US/ST=PA/L=Coudersport/O=Time Warner Cable/OU=Mail Operations/CN=cdptpa-oedge/emailAddress=dl-hrn-mailops.twcable.com") 
	id 35/DC-05251-FE56BE85; Mon, 10 Apr 2017 11:01:04 +0000

...and it was received regardless of the authentication failure - again ways beyond of the router or user control - this is an internal issue in their email infrastructure:

Authentication-Results:  cdptpa-imsmta02 x-tls.subject="/C=US/ST=PA/L=Coudersport/O=Time Warner Cable/OU=Mail Operations/CN=cdptpa-oedge/emailAddress=dl-hrn-mailops.twcable.com"; auth=fail (cipher=DHE-RSA-AES256-GCM-SHA384)

 Nothing to worry - probably the price thy are paying for ongoing mergers, acquisitions, migrations, name changes, ... unrelated to the Netgear MUA (Message User Agent).


No, this is sort of 'fake' in terms of servers. Brighthouse 'echoes' the TWC/RR servers. That is they use them but I'm not sure if they are copies or pointers to the RR servers. Matter of fact, whenever I've had e-mail problems BH support tells me to use the browser web client at TWC... logon with the same UID and PW for my account. I see everything there. So if something was sent for TWC/RR to BHN, it would have been identical and nothing more than moving it to a local server farm.

Message 21 of 24
schumaku
Guru

Re: Nighthawk WiFi Routers - Emailing logs still a problem


@IrvSp wrote:
Only 'small' possibility, although I do have port 587 checked, I do not supply my UserID and PW.

Reminds me of the big ISPs over here in Europe - they did the same 10 to 20 years ago for SMTP on 25/TCP ... all require authentication on 587/TCP now again, regardless of the source IPv4 address. But if they work without authentication, they must have strict testing and fingerprinting of all messages in place ... not just for the source, but also for the content, the amount of messages, ... otherwise abuse for mass-mails toward spam puropse would be easy.

 

Ref, the X-***-Connecting-IP entries ... have access to a large amount of messages in an archive (resp. the headers) -  for the majority the X-***-Connecting-IP does match to the effective IP address of the MUA, being the IPv4 address from where the message is really submitted.

Well possible that the two SMTP "hops" are not just MTA - and one or some can also store the complete email repository. 

 

Easiest way would be a way to capture the traffic on the router itself... Netgear? @ElaineM or @JamesGL ... can you help?

Message 22 of 24
doglmci0311
Aspirant

Re: Nighthawk WiFi Routers - Emailing logs still a problem

I think the aspmx.l.google.com route with google died sometime in 2016. I've tried it over and over still same issue. But it does work if you use it programatically which tells me the firmware Firmware Version
V1.0.3.36_1.1.25 has a bug in the email section.  I'm getting ready to UPGRADE to a linksys EA9500. Which is also buggy.

Message 23 of 24
schumaku
Guru

Re: Nighthawk WiFi Routers - Emailing logs still a problem


@doglmci0311 wrote:

I think the aspmx.l.google.com route with google died sometime in 2016. 


Most ISP are capturing the SMTP traffic on 25/TCP on consumer and small business connections and force it to thier own infrastructure. This might have happend by your ISP in 2016. Better late than never....

 

$ telnet aspmx.l.google.com 25
%TCPWARE_TELNET-I-TRYING, trying ASPMX.L.GOOGLE.COM,smtp (74.xx.xx.26,25) ...
%TCPWARE_TELNET-I-ESCCHR, escape (attention) character is "^\"
220 nwas.lb.bluewin.ch vimdzmsp-nwas02.bluewin.ch Swisscom AG ESMTP server ready
EHLO r8000@netgear.com
501 EHLO requires valid address

It's clear that this telnet session does _not_ connect to Google's IP(74.xx.xx.26) address - much more you talk to an ISP SMTP system, which might permit the submission of messages when using valid authentication to submit messages over thier infrastructure. Your Gmail or G Suite authentication does not work there.

Only if your ISP Internet connection does not intercept 25/TCP you could use aspmx.l.google.com on Port 25. TLS not required, AUTH is not required, Dynamic IPs are allowed - however, messages can submitted to Gmail or G Suite domain users only. And here I guess the sSMTP will not use STARTTLS ... and this what what a previous poster ( @Rialbo ) requested: The ability to configure the router to send to secured channels (TLSv1, mandatory se of STARTTLS also on port 25, or for the sake again the legacy SSL on port 456/TCP). But again - for 99.99% of the Nighthawk deployments on consumer/SOHO Internet connections ... this can't be used anyway.

 

When you want to submit email messages using Gmail (or G suite) from dynamic IP addresses (not a static one for the G suite case), you must use smtp.gmail.com:587 authenticate with your Gmail address and the App password generated (or for the sake of it the password if you don't have 2FA enabled on your account) - usage of TLS is mandatory, no message submission without STARTTLS is possible. Alternate is the legacy smtp.gmail.com:456 which does create an implcit SSL conection, no STARTTL here. And of course, the sender (FROM) must be your Gmail or G Suite address. 587/TCP won't be captured by the ISPs - if it is, complain where complaints belong. Nothing any router make can change.

The same aplies to any other reasonable email provider - just the names are changing, and the defualt requirements might be slightly different.


@doglmci0311 wrote:

V1.0.3.36_1.1.25 has a bug in the email section. 


It is software, so bugs are possible. However, most community members are unable to provied anything useful or related to _proof_ there is an issue. "Does not work" is a problem, but does not proof there are bugs. Most are simply caused by lack of insight and understanding and trying to carry forward what was working in 1995. And Message submission by SMTP to port 25 is dead in the year 2017.

 

Message 24 of 24
Top Contributors
Discussion stats
  • 23 replies
  • 11420 views
  • 4 kudos
  • 7 in conversation
Announcements

Orbi WiFi 6E