Node-Red Email in 2023

Sorry, but that's FUD :wink:. Using the tools I suggested doesn't do anything different than launching an email app or the node-red email node, both of which he already did multiple times.

ok - maybe slightly exaggerating - but tools like nmap and portscan are def banned around here and will get your network port shutdown pretty darn quick. Depends on the organisation of course - and indeed the IT group may be happy to help (if asked).

1 Like
  • Those tools have not been mentioned in this thread
  • Those tools would be of relatively little use here
  • What good does it do to respond with FUD to posts that suggest to take the opportunity of a vexing problem to go down a layer in the stack and learn how the protocols work by troubleshooting a bit?

It's not FUD to recommend you be careful when trying to do things on someone else's (your employers) network. Yes I'm all for a bit of troubleshooting but in some cases it makes sense to ask permission or advice from the IT guys before you get a flag against your name. A bit like recommending someone be careful before playing with mains voltages.

1 Like

Sorry, that's FUD. Can you be specific and describe how what I recommended would in any way raise any eyebrow?

I was able to get some information from netcat, thanks for the suggestion!

The only port that connected successfully

mtg@mtg-desk:~ $ netcat -vzw 15 smtp-mail.outlook.com 587
Connection to smtp-mail.outlook.com (52.96.109.134) 587 port [tcp/submission] succeeded!

Using the same port but with Gmail timed out

mtg@mtg-desk:~ $ netcat -vzw 15 smtp.gmail.com 587
netcat: connect to smtp.gmail.com (209.85.232.109) port 587 (tcp) timed out: Operation now in progress
netcat: connect to smtp.gmail.com (2607:f8b0:400d:c0c::6d) port 587 (tcp) failed: Network is unreachable

Using Gmail's other outgoing port timed out as well

mtg@mtg-desk:~ $ netcat -vzw 15 smtp.gmail.com 465
netcat: connect to smtp.gmail.com (173.194.175.109) port 465 (tcp) timed out: Operation now in progress
netcat: connect to smtp.gmail.com (2607:f8b0:400d:c0e::6d) port 465 (tcp) failed: Network is unreachable

I tested Outlook and Gmail's incoming IMAP and POP3 connections as well.

Outlook IMAP

mtg@mtg-desk:~ $ netcat -vzw 15 outlook.office365.com 993
netcat: connect to outlook.office365.com (40.99.157.2) port 993 (tcp) timed out: Operation now in progress
netcat: connect to outlook.office365.com (40.99.149.162) port 993 (tcp) timed out: Operation now in progress
netcat: connect to outlook.office365.com (40.99.149.130) port 993 (tcp) timed out: Operation now in progress
netcat: connect to outlook.office365.com (2603:1026:c0d:34::2) port 993 (tcp) failed: Network is unreachable
netcat: connect to outlook.office365.com (2603:1026:c0d:20::2) port 993 (tcp) failed: Network is unreachable
netcat: connect to outlook.office365.com (2603:1026:c0d:73::2) port 993 (tcp) failed: Network is unreachable

Outlook POP3

mtg@mtg-desk:~ $ netcat -vzw 15 outlook.office365.com 995
netcat: connect to outlook.office365.com (52.98.152.178) port 995 (tcp) timed out: Operation now in progress
netcat: connect to outlook.office365.com (40.99.149.210) port 995 (tcp) timed out: Operation now in progress
netcat: connect to outlook.office365.com (52.98.228.50) port 995 (tcp) timed out: Operation now in progress
netcat: connect to outlook.office365.com (40.99.150.114) port 995 (tcp) timed out: Operation now in progress
netcat: connect to outlook.office365.com (2603:1026:c0d:c06::2) port 995 (tcp) failed: Network is unreachable
netcat: connect to outlook.office365.com (2603:1026:c0d:829::2) port 995 (tcp) failed: Network is unreachable
netcat: connect to outlook.office365.com (2603:1026:c0d:81a::2) port 995 (tcp) failed: Network is unreachable
netcat: connect to outlook.office365.com (2603:1026:c0d:828::2) port 995 (tcp) failed: Network is unreachable

Gmail IMAP

mtg@mtg-desk:~ $ netcat -vzw 15 imap.gmail.com 993
netcat: connect to imap.gmail.com (172.253.63.108) port 993 (tcp) timed out: Operation now in progress
netcat: connect to imap.gmail.com (172.253.63.109) port 993 (tcp) timed out: Operation now in progress
netcat: connect to imap.gmail.com (2607:f8b0:4004:c0b::6d) port 993 (tcp) failed: Network is unreachable
netcat: connect to imap.gmail.com (2607:f8b0:4004:c0b::6c) port 993 (tcp) failed: Network is unreachable

Gmail POP3

mtg@mtg-desk:~ $ netcat -vzw 15 pop.gmail.com 995
netcat: connect to pop.gmail.com (142.251.163.109) port 995 (tcp) timed out: Operation now in progress
netcat: connect to pop.gmail.com (142.251.163.108) port 995 (tcp) timed out: Operation now in progress
netcat: connect to pop.gmail.com (2607:f8b0:400d:c0e::6c) port 995 (tcp) failed: Network is unreachable
netcat: connect to pop.gmail.com (2607:f8b0:400d:c0e::6d) port 995 (tcp) failed: Network is unreachable

Sorry for the long post but I figured more information is better than less. I included the redundant time out and failed messages because the addresses were slightly different. This is a quote from inMotion (a webhosting service):
" If the remote nodeā€™s firewall drops the connection request, it may timeout:
nc: connect to domain.com port 21 (tcp) timed out: Operation now in progress"

It mentioned a different outcome if a port is specifically blocked. Does that mean there is hope?

Interesting, thanks for posting the output! Network is unreachable means that the router doesn't know (or want to) forward a packet to the destination IP address, which is an IPv6 address. So most likely IPv6 is not usable. The IPv4 connection timed out. I just tried:

> nc 173.194.175.109 465


asdfasdfasdf
FāŽ                                         

So it connected and the remote end disconnected once I typed some garbage at it (that doesn't look like a TLS hello).

Not really, you can't make such general assumptions. The FW could reset the TCP connection explicitly but typ it's easier to just drop the packets silently.

You could try the some of the same ports against random servers (e.g. web servers) and see whether they all time out or whether you get some "signal". That might tell you whether the ports are blocked or whether the hosts are blocked. Here's me testing against a local server that refuses connections to port 465 and a public server that accepts:

> nc -v core2 465
nc: connect to core2 port 465 (tcp) failed: Connection refused
> nc -v portquiz.net 465
Connection to portquiz.net 465 port [tcp/submissions] succeeded!

(The connection refused could be sent by the firewall, but given your experience so far it would be unlikely.)

Thank you for the detailed response.

Would the Outlook and Gmail examples of SMTP be an example of what you are talking about? Port 587 connected to Outlook's server, but timed out with Gmail's.

1 Like

Yup, I overlooked that. It could be that there's an exception for outlook mail submission that lets that through, or it could be that gmail is blocked. Given all the results you have it seems to me that email is just generally blocked from your network. A common reason is to avoid getting blacklisted due to spam originating from the office as a result of some compromised device.

No it isn't. I've worked at places where just attaching a device like a Pi would get you into serious trouble. (In fact I've worked with organisations where just carrying such a thing into the building would see you at the end of a handgun but that's a different issue!).

Plenty of places wouldn't even let your Pi connect to anything locally. And would require authentication even to WiFi.

And anywhere with a smart network protection service running could pick up on attempts by an unknown device to probe outgoing network ports. While not likely to be triggered over a single probe, would certainly be picked up if you continued to try after being rejected. Especially if the organisation had taken a deliberate decision to ban access to GMail.

Unknown outbound SMTP connections specifically are a high-risk connection that can be an indication of malware inside the corporate network.

If I had to guess, I'd say that your organisation already uses Office 365 but not Google. But it isn't allowing IMAP inbound connections.

At this point, you really do need to listen to Dave. Not sure what kind of organisation you work for but you are on quite dangerous ground now. You at least need to go check the terms and conditions of use of your corporate IT services before continuing.

You are now potentially putting the OP's job at risk. They need to check before continuing.

I'll not be carrying on with this thread now unless they confirm that it is OK for them to continue.

I appreciate all the suggestions and advice given so far.

We do use Office 365 and not Google. I am aware of others in the company who have written software that makes use of automated email services with IT's blessing. I believe this was using Python and/or LabVIEW, and was most likely using a company issued laptop/desktop. Not sure if they used something like IMAP but I'm not sure how else they would've accomplished their task. Regardless, I realize my situation is quite different.

I also know that my position and our department is given elevated rights and access from IT. Obviously thay doesn't mean I can do whatever I want on our network, but to some degree we have a working understanding with our IT that troubleshooting and engineering on this level is going to happen.

Despite what I've written above, I will check with our IT liason and ask him how I should proceed. It might be possible to use the nodes with a company email vs one I created specifically to be used with Node-Red. If there are any developments or further progress made on this I will post any solutions or future questions.

1 Like

OK, thats good. So you can note that O365 Exchange Online has its own methods of automation and its own connectivity so not terribly surprising that other email protocols are locked down.

I didn't really consider it, but is there another way to receive emails from my Outlook email address?

I don't have to use the email node, I was pursuing this path due to it working previously. If there is another way to read my inbox that isn't overly complicated, and avoids the issues I'm having, I would be open to trying while I wait to hear back from IT.

Ha! You are about to go down the ultimate rabbit hole. :slight_smile:

Microsoft have rafts of libraries and SDK's to "help" you access Office 365 services.

:laughing: I was just reading about that a little bit. Is there a "preferred" way to use something like that with Node-Red? Are there any other node palettes I could install to make interacting with the sdk's easier? Would I ultimately run into similar issues due to blocked ports?

If your IT guys are expecting you do these sorts of things (or try them), then they may be amenable to a discussion about opening ports as well. Eg they could open it but restrict to requests from your sub-domain. Or they may have other suggestions or ideas.

Funnily enough, I was looking at one of the SDK's last night - the one that accesses the Microsoft graph. It was relatively easy to set up - if you know node.js and JavaScript :slight_smile:

Trouble is - you still need your IT dept. to configure something in Azure to allow your app to work.

Sigh... It seems as though all roads point to IT. :upside_down_face: I'm supposed to have a meeting with one of the guys this afternoon, so we will see what they recommend. I'm hoping it could be as simple as allowing my subdomain to allow incoming traffic on the port. I confirmed that port 993 (incoming email) is open if I use the company's mail server. I will update after the meeting.

1 Like

This post was recommended to me in my email digest. A few things to note, and covered here already.

  1. Email node works fine with google mail. Iā€™ve had it working for years with no issue.

[edit to cut various waffle]

  1. To the guy who repeatedly said ā€œthat is FUDā€ā€¦ I have and I agree with some on this thread saying that you can be hauled up into an HR meeting quick smart if you do certain things in certain businesses. Itā€™s laughable to suggest you shouldnā€™t exercise caution. Working cultures vary hugely between different industries, countries, etc. - keep an open mind.

Anyway hope you got it sorted in the end? A quick command in a telnet session is usually all it takes to see if something is blocked but as mentioned, chat to IT first if you arenā€™t the guy in chargeā€¦