rlebeau on master
PR #322 and #323 - merging chan… (compare)
Hello, Remy. Here is my results of migration from Indy9 to Indy10 of secured email via different hosts.
1) Port is hardcoded to 465
2) services to check : mailtrap.io and smtp.gmail.com
3) In our application user can manually choose which type of SSL to use. By default it is OpenSSLv23 i.e. negotiation to choose version is allowed.
Indy 9 code worked under that settings for both mailtrap.io and smtp.gmail.com.
smtp.gmail.com negotiated with client to TlSv1
under Indy10 negotiation with mailtrap.io works fine
with smtp.gmail.com negotiation doesn't work (why it doesn't negotiated to TlS at all?) but after applying 'magic line'
AIdSMTP.UseTLS := utUseImplicitTLS;
smtp.gmail.com became to understand application in negotiation mode too and negotiation is resolved to TLSv1.2.
Now the question is : is it reliable to left this line provided end user would have own mail server settings?
And why negotiation didn't work without that line?
UseTLSappropriately, as that governs how SSL/TLS is used during the SMTP session.
UseTLS=utNoTLSSupportis the default, it means no SSL/TLS is used.
UseTLS=utUseImplicitTLSperforms an SSL/TLS handshake as soon as the socket is connected, before any SMTP traffic is exchanged.
UseTLS=utUseExplicitTLSconnects the socket initially unsecure and then issues an SMTP
STARTTLScomand to perform a handshake only if the server advertises support for that. Indy 9 did not support
STARTTLSat all. Indy 10 does. So you have to specify which mode to use. Not all servers support
STARTTLS, but those that do offer it for legacy clients so they don't have to use SSL/TLS if they don't want to. GMail supports both modes. Port 465 is SMTP's implicit SSL port, port 587 is the explicit TLS port.
OpenSSLVersion()wrapper function in the
IdOpenSSLSetLibPath()function to point to it), or if you are compiling for iOS devices (Indy compiles OpenSSL statically on that platform). Indy itself is compiled directly into your app (unless you enable runtime packages, in which case you would then have to deploy those)
But pls consider https://www.openssl.org/source/license.html, for example
- Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in
- the documentation and/or other materials provided with the
- Redistributions of any form whatsoever must retain the following
- "This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- All advertising materials mentioning features or use of this software
- must display the following acknowledgement:
- "This product includes cryptographic software written by
- Eric Young (firstname.lastname@example.org)"
- The word 'cryptographic' can be left out if the rouines from the library
- being used are not cryptographic related :-).
we currently using Explicit option, and here is the code:
however I found that even I remove line 2, it still works correctly. I checked the code for Authenticate, it calls StartTLS. Does TIdSMTP.Connect also call StartTLS as well somewhere?