Hikvision NVR - Email not working

[yellowbunny]

Hi all,
So, I've searched and searched, using a new US version Hikvision 8 port POE NVR (DS-7608NI-E2 series) with the latest firmware (3.4.95 build 170626), and I've tried my mail server address as well as actual IP address, also changed from router DNS to 8.8.8.8 and 8.8.4.4 google DNS servers, but I still get "Test Failed" when trying to get email notification setup.

What's going on? Are there any firmware hacks for these Hikvision NVRs that actually work (sorta like DD-WRT and Tomato for routers)?

 

[alastairstevenson]

If your (unspecified) email service is Gmail - then it works fine with that firmware version, when configured with SSL enabled, port 587 and in the Gmail account 'allow less secure devices' set.

 

[yellowbunny]

No, this is private email through a web hosting service, that I manage and I don't have any restrictions on it (use it with VOIP phones, voicemail emailing services, etc.). So not Gmail. I'm using SSL through port 465 per my server, and it works with everything else but not the NVR.

 

[alastairstevenson]

It sounds like a network capture of the dialogue might be the next step to determining what part of the setup protocol is not working.

 

[yellowbunny]

Ok, can I do that from the NVR? Or is that router-specific?

 

[alastairstevenson]

Ok, can I do that from the NVR?

It is possible to get some info from the NVR itself - but you'd need to hook up to the serial console to do so, which probably isn't practical.
Example with firmware 3.4.91 of using the 'Test' button for the email config, with a 'Testing succeeded' result :

alastair@PC-I5 ~ $ telnet 192.168.1.211
Trying 192.168.1.211...
Connected to 192.168.1.211.
Escape character is '^]'.

dvrdvs login: root
Password:


BusyBox v1.16.1 (2016-06-29 13:49:45 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

psh: applet not found
[root@dvrdvs /root] # who
root            ttyS000         ?       Jan  1 00:00:04 
root            pts/0           00:00   Sep 20 10:40:16 
[root@dvrdvs /root] # setconsole /dev/pts/0
smtp_connect getsockopt failed:: Invalid argument
Connect to SMTP server ok.
<nfs_test> start!
SSL_connect failed!!
2566104256:error:1408F10B:lib(20):func(143):reason(267):NA:0:
Connect to SMTP server ok.
#### msgRecv = 220 smtp.gmail.com ESMTP 193sm1289770wmh.47 - gsmtp

msg = EHLO dvrdvs

#######1 msgRecv = 250-smtp.gmail.com at your service, [95.148.76.176]
250-SIZE 35882577
250-8BITMIME
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-CHUNKING
250 SMTPUTF8

#######2 msgRecv = 220 2.0.0 Ready to start TLS


[root@dvrdvs /root] #

The usual method for examining network traffic originating from other than the PC you want to monitor on requires a switch that has a 'port mirroring' facility that allows a third device, such as a PC running wireshark, to listen in on the network traffic on the mirrored port.
A normal, unmanaged, switch won't have this facility, but it's quite common on a managed switch.

Presumably your hosting environment doesn't have the facility for network packet capture?

 

[yellowbunny]

Ok, got a smart switch mirrored port and Wireshark - what am I looking for? The only thing that looks weird is the "<accountName>" tag in one of the lines like "POST /ISAPI/System/Network/mailing..." has a bunch of jumbled characters in it - while everything else is plain text - I can see the email address, etc. So how can I find out if data is not being passed?

 

[alastairstevenson]

Ok, got a smart switch mirrored port and Wireshark - what am I looking for?

Any clues in the setup dialogue between the NVR and the mail server that is not encrypted such that you can't examine the contents.

 

[yellowbunny]

Ok, how's this? Seems to be a handshake failure in the SSL stuff - the NVR is connecting and saying hello, but the response is go away from the mail server - how can I figure out if it's an SSL version problem? What version of SSL does the NVR use (latest US firmware)?

 

[alastairstevenson]

Seems to be a handshake failure in the SSL stuff

Yes, that does seem to be the case.
With your implicit permission - I tried a test connection to your mail server from a Hikvision NVR running firmware 3.4.91
Email settings were SSL enabled, port 465, authentication required.
The test connection failed, with this showing in the NVR console :

Adjust date/time from RTC.
HostSetDateTime 2017-10-4 8:55:25

[root@dvrdvs /root] # smtp_connect getsockopt failed:: Invalid argument
Connect to SMTP server ok.
SSL_connect OK!!
want 220, received not expected response .
Connect to SMTP server ok.
select timeout or error!!
########init_mail_sender_TLS failed

The NVR is supporting SSLv3, which is good.
Looking at the network capture, the mail server response to the Client Hello gives a 'Handshake failure (40)'.
A quick Google search on that suggests the mail server may require the 'Server Name Indication' passed in the Client Hello, which is not included in the captured dialogue.
It's not a topic I'm familiar with, however this appears to describe the requirement : Server Name Indication - Wikipedia

However - I did wonder if this may be a consequence of me using the server IP address as opposed to the target FQDN (Fully Qualified Domain Name) so I also tried it with the reverse DNS value - which may not be your required target FQDN assuming multiple mail setvers are hosted on that address (though it looks the same as your screenshot).
This gave the same result, and I could see no server name embedded as part of the Client Hello.

According to the Wikipedia article :

In 2004, a patch for adding TLS/SNI into OpenSSL was created by the EdelKey project.[5] In 2006, this patch was then ported to the development branch of OpenSSL, and in 2007 it was back-ported to OpenSSL 0.9.8 (first released in 0.9.8f[6]).

And from the openssl library in the NVR :

OpenSSL 1.0.1l 15 Jan 2015
built on: Wed May 13 15:50:01 2015
platform: linux-armv4

SSLv3 part of OpenSSL 1.0.1l 15 Jan 2015

Suggesting that the code is new enough to implement that feature.
But, I suppose, having the SNI feature doesn'r necessarily mean that the NVR firmware makes use of it.

I'm not sure where you go from here - except maybe to see if any tech support (Hikvision - unlikely, but you never know) or the hosting provider, might be able to comment.

 

[yellowbunny]

Talked to my hosting company. SSL on the Hikvision isn't working properly. Had to use port 26 or 587. Not the 465 (std. SSL) or 110 (non-SSL) per hosting co. documentation. Weird. Oh well, working now. Thanks for your help.

 

[alastairstevenson]

Had to use port 26 or 587.

I was tempted to try one of the other open ports - but didn't want to trigger any security alerts.
Glad that you got some good tech support from the hosting company.

 

[bluealmond]

This worked for me, thanks.

 

[S474N]

Have same problem, now I have problem with SMTP. But weeks ago everything works perfectly. Now "Testing failed".

Tested on two different SMTP