sending emails over secure email connections with s7 … · sending emails over secure email...

38
Sending Emails over Secure Email Connections with S7-1500 and S7-1200 CP 1543-1, CP 1243-1 STEP 7 V14, TMAIL_C https://support.industry.siemens.com/cs/ww/en/view/46817803 Siemens Industry Online Support

Upload: vananh

Post on 05-Jun-2018

279 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

Sending Emails over Secure Email Connections with S7-1500 and S7-1200

CP 1543-1, CP 1243-1 STEP 7 V14, TMAIL_C

https://support.industry.siemens.com/cs/ww/en/view/46817803

Siemens Industry Online Support

Page 2: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

Warranty and Liability

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 2

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

Warranty and Liability

Note The Application Examples are not binding and do not claim to be complete regarding the circuits shown, equipping and any eventuality. The Application Examples do not represent customer-specific solutions. They are only intended to provide support for typical applications. You are responsible for ensuring that the described products are used correctly. These Application Examples do not relieve you of the responsibility to use safe practices in application, installation, operation and maintenance. When using these Application Examples, you recognize that we cannot be made liable for any damage/claims beyond the liability clause described. We reserve the right to make changes to these Application Examples at any time without prior notice. If there are any deviations between the recommendations provided in these Application Examples and other Siemens publications – e.g. Catalogs – the contents of the other documents have priority.

We do not accept any liability for the information contained in this document. Any claims against us – based on whatever legal reason – resulting from the use of the examples, information, programs, engineering and performance data etc., described in this Application Example shall be excluded. Such an exclusion shall not apply in the case of mandatory liability, e.g. under the German Product Liability Act (“Produkthaftungsgesetz”), in case of intent, gross negligence, or injury of life, body or health, guarantee for the quality of a product, fraudulent concealment of a deficiency or breach of a condition which goes to the root of the contract (“wesentliche Vertragspflichten”). The damages for a breach of a substantial contractual obligation are, however, limited to the foreseeable damage, typical for the type of contract, except in the event of intent or gross negligence or injury to life, body or health. The above provisions do not imply a change of the burden of proof to your detriment. Any form of duplication or distribution of these Application Examples or excerpts hereof is prohibited without the expressed consent of the Siemens AG.

Security informa-tion

Siemens provides products and solutions with industrial security functions that support the secure operation of plants, systems, machines and networks. In order to protect plants, systems, machines and networks against cyber threats, it is necessary to implement – and continuously maintain – a holistic, state-of-the-art industrial security concept. Siemens’ products and solutions only form one element of such a concept. Customer is responsible to prevent unauthorized access to its plants, systems, machines and networks. Systems, machines and components should only be connected to the enterprise network or the internet if and to the extent necessary and with appropriate security measures (e.g. use of firewalls and network segmentation) in place. Additionally, Siemens’ guidance on appropriate security measures should be taken into account. For more information about industrial security, please visit http://www.siemens.com/industrialsecurity.

Siemens’ products and solutions undergo continuous development to make them more secure. Siemens strongly recommends to apply product updates as soon as available and to always use the latest product versions. Use of product versions that are no longer supported, and failure to apply latest updates may increase customer’s exposure to cyber threats. To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed under http://www.siemens.com/industrialsecurity.

Page 3: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

Table of Contents

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 3

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

Table of Contents Warranty and Liability ................................................................................................. 2

1 Introduction ........................................................................................................ 4

1.1 Overview............................................................................................... 4 1.2 Mode of operation ................................................................................ 4 1.3 Components used ................................................................................ 5

2 Engineering ........................................................................................................ 6

2.1 Hardware configuration ........................................................................ 6 2.2 Configuration and parameterization ..................................................... 6 2.2.1 Determining and downloading the provider's certificate....................... 6 2.2.2 Allowing email account access by CP .................................................. 9 2.2.3 Activating the security features in the CP .......................................... 11 2.2.4 Importing the provider certificate into STEP 7 (TIA Portal) ................ 15 2.2.5 Adding the provider certificate to the CP ............................................ 17 2.2.6 Connecting the CP to the Internet ...................................................... 19 2.2.7 Configuring the DNS server ............................................................... 19 2.2.8 Parameterizing the TMail system data types in STEP 7 (TIA

Portal) ................................................................................................. 20 2.2.9 Parameterizing the "TMAIL_C" instruction ......................................... 25 2.2.10 Setting the S7 CPU's time .................................................................. 27 2.2.11 Determining the CP's hardware identifier ........................................... 29

3 Valuable Information ....................................................................................... 30

3.1 SMTP servers and ports of providers ................................................. 30 3.2 Overview of the system data types of "TMAIL_C" ............................. 30 3.3 Alternative solutions ........................................................................... 31 3.3.1 Integrating certificates into STEP 7 V13 ............................................ 31 3.3.2 Configuring the CP 1543-1 in STEP 7 V13 ........................................ 33 3.3.3 Setting up a secure connection to an e-mail server in STEP 7

V13 ..................................................................................................... 33

4 Appendix .......................................................................................................... 37

4.1 Service and support ........................................................................... 37 4.2 Links and literature ............................................................................. 38 4.3 Change documentation ...................................................................... 38

Page 4: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

1 Introduction

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 4

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

1 Introduction

1.1 Overview

Sending e-mails is used as the default mechanism for transmitting error conditions or warnings from industrial plants to a control center or operating staff. The SIMATIC S7 product range includes products that support this protocol.

Nowadays, for security reasons, most email servers only support secure connections. Therefore, the secure email connection method has been added to communications processors that support the "Send e-mail" function.

This application example shows you how to set up a secure connection (SNMP over TLS) to an e-mail server with the CP 1543-1 in an S7-1500 station.

1.2 Mode of operation

The following figure shows the most important correlations between the components involved and steps that are necessary to set up a secure connection (SNMP over TSL) to an e-mail server.

Figure 1-1

Email service provider

SMTP server

Certificate Storeidx Cert_Name

STEP 7 (TIA Portal)

S7-1500/S7-1200

Cert_xy

Cert_xy1

TMAIL_C

SMTP over TSL

Engineering

Tmail

parameter

Email account:

• User name

• Password

[email protected]

1

2

3

4

Page 5: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

1 Introduction

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 5

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

Table 1-1

Step Description

1 Determine the certificate of your e-mail service provider. In the e-mail account, allow the communications processor (CP) to access the e-mail account via SMTP or SMTPS.

2 Import the certificate of your e-mail service provider into STEP 7 (TIA Portal).

3 In the S7-1500 or S7-1200 station, perform the following configuration steps:

Add the certificate that you have imported into STEP 7 (TIA Portal) to the CP

Connect the CP to the Internet

Configure the DNS server

Call and parameterize the "TMAIL_C" instruction in the user program of the S7 CPU

Set the S7 CPU's time

4 Send the e-mail over a secure connection (SNMP over TSL).

1.3 Components used

This application example was created with the following hardware and software components:

Table 1-2

Component No. Article no. Note

CPU 1513-1 PN 1 6ES7513-1AL01-0AB0 Alternatively, you can use any other S7-1500 CPU, an S7-1200 CPU or an ET 200SP CPU.

CP 1543-1 1 6GK7543-1AX00-0XE0 If you are using an S7-1200 CPU, you need one of the following CPs:

CP 1243-1 (6GK7243-1BX30-0XE0)

CP 1242-7 GPRS (6GK7242-7KX31-0XE0)

CP 1243-7 LTE (6GK7243-7KX30-0XE0, 6GK7243-7SX30-0XE0)

CP 1243-8 IRC (6GK7243-8RX30-0XE0)

If you are using an ET 200SP CPU, you need one of the following CPs:

CP 1542SP-1 IRC (6GK7542-6VX00-0XE0)

CP 1543SP-1 (6GK7543-6WX00-0XE0)

This application example consists of the following components:

Table 1-3

Component File name Note

Document 46817803_EMail_with_CP1543-1.pdf -

Page 6: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

2 Engineering

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 6

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

2 Engineering

2.1 Hardware configuration

The following figure shows the hardware configuration.

Figure 2-1

Provider (email server)

Control centerPlant

Internet

Email

recipient

(email client)

1 2 3 4

Email account:

• User name

• Password5

The following table shows the IP addresses of the plant's hardware components.

Table 2-1

No. Component IP address Subnet mask

1 CPU 1513-1 PN 192.168.0.1 255.255.255.0

2 CP 1543-1 172.16.43.4 255.255.0.0

3 CPU 1214C 192.168.0.2 255.255.255.0

4 CP 1243-1 172.16.43.5 255.255.0.0

5 DSL router 172.16.0.1 255.255.0.0

2.2 Configuration and parameterization

2.2.1 Determining and downloading the provider's certificate

Overview

A certificate is a public key signed by the owner (in this case: the e-mail service provider) that ensures its authenticity and integrity.

This certificate must first be determined and then downloaded from the provider's website.

Determining the provider's certificate

In this application example, we use an example to demonstrate how to import a certificate with Google's e-mail service, Gmail. Microsoft Internet Explorer is used as the Web browser. Other browsers have different dialogs.

Page 7: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

2 Engineering

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 7

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

1. To determine your provider's certificate, log in to your Gmail account.

2. In the Internet Explorer address bar, click the "Security report" icon. The "Website Identification" dialog opens.

3. Click "View certificates". The "Certificate" dialog opens.

4. Open the "Certification Path" tab. It displays the name of the certificate that is used by your provider. Gmail uses the "GeoTrust Global CA" certificate.

Page 8: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

2 Engineering

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 8

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

Downloading the provider's certificate

Each provider normally offers the appropriate certificates for download on its website.

As an example, Table 2-2 provides the links to Telekom's and Google's certificates.

Table 2-2

Name of certificate Used by Link

Telekom Root CA 2 Web.de

GMX

Telekom Root CA 2 certificate

GeoTrust Global CA Gmail Use the Windows Console Root to export the certificate (see Figure 2-2). Then you can import the certificate into STEP 7 (TIA Portal).

Requirement The certificate is installed on the PC.

T-TeleSec GlobalRoot Class 3 T-Online T-TeleSec GlobalRoot Class 3

Figure 2-2

Page 9: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

2 Engineering

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 9

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

2.2.2 Allowing email account access by CP

In your email account, allow the CP to access your email account via SMTP or SMTPS. These settings differ depending on the provider.

The following instructions show you how to allow the CP to access an email account of the following providers:

GMX

Web.de

T-Online

Gmail

First, log in to your email account.

GMX

1. In the "E-mail" tab, click "Settings".

2. Select "POP3/IMAP demand".

3. Check the "Send and receive e-mails via external program (Outlook, Thunderbird)" check box.

4. Click "Save".

Web.de

1. In the "Inbox" tab, click "Settings".

2. Select "POP3/IMAP demand".

3. Check the "Send and receive e-mails via external program (Outlook, Thunderbird" check box.

4. Click "Save".

T-Online

T-Online allows access of any e-mail clients. The only thing that is necessary is a valid e-mail password.

1. In the "Menu" tab, click "Settings".

2. Select "Passwörter" (Passwords).

3. In "E-mail password - For using an e-mail program ", click "Change e-mail password".

4. In "Set up additional e-mail program of other providers", click "Edit".

5. Specify a password.

Page 10: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

2 Engineering

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 10

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

Gmail

1. Click the "Settings" icon.

2. Select the "Settings" context menu.

1

2

3. Open the "Forwarding and POP/IMAP" tab.

4. In "IMAP access", select the "Enable IMAP" function.

Page 11: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

2 Engineering

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 11

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

5. Click "Save Changes".

3

5

4

6. Follow the instructions described at the link below: Enabling Third-party Apps in Gmail

2.2.3 Activating the security features in the CP

Activating the security features in the CP requires that a user with sufficient configuration rights be logged in.

A security user is authorized to make global security settings.

Creating a security user and logging the user in to the global security settings

To create a security user and log this user in to the global security settings, follow the instructions below:

1. In the device or network view, select the CP. The Inspector window displays the CP properties.

2. In the area navigation of the "Properties" tab, select the "Security" item to display the CP's security properties in the Inspector window.

Page 12: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

2 Engineering

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 12

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

3. Click the "User login" button to create a new security user or log an existing security user in to the global security settings.

2

3

4. If you need to create a new security user, make the following settings in the "Global security settings > User login" dialog:

– Specify a user name and password

– Confirm the password

– Click the "Log in" button to create the security user and log the user in to the global security settings.

Page 13: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

2 Engineering

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 13

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

5. To log an existing security user in to the global security settings, make the following settings in the "Global security settings > User login" dialog:

– Enter the security user's user name and password.

– Click the "Log in" button.

6. The successful login of the security user is shown in the "Global security settings > User login" dialog.

Page 14: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

2 Engineering

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 14

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

Activating security features

1. In the device or network view, select the CP. The Inspector window displays the CP properties.

2. In the area navigation of the "Properties" tab, select the "Security" item to display the CP's security properties in the Inspector window.

3. Enable the "Activate security features" function.

2

3

Page 15: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

2 Engineering

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 15

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

2.2.4 Importing the provider certificate into STEP 7 (TIA Portal)

The provider certificate must be imported into STEP 7 (TIA Portal). This application example imports the "Telekom Root CA 2" certificate into STEP 7 (TIA Portal).

Requirement

The security user must be logged in to the global security settings. This login is required to insert the provider's certificate in the certificate manager.

If necessary, log the security user in to the global security settings as described in the following section:

1. In the project tree, go to "Global security settings" and double-click the "User login" item.

Page 16: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

2 Engineering

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 16

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

2. In the STEP 7 (TIA Portal) workspace, enter the security user's user name and password. Click the "Log in" button.

Note Chapter 2.2.3 describes how to create a security user.

Instructions

1. To open the certificate manager in the STEP 7 (TIA Portal) workspace, proceed as follows: In the project tree, go to "Global security settings" and double-click the "Certificate manager" item.

Page 17: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

2 Engineering

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 17

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

2. In the "Certificate authority (CA)" tab, import the certificate, for example "Telekom Root CA 2".

3. When you have imported the certificate, for example "Telekom Root CA 2", into STEP 7 (TIA Portal), you must add it to the CP. Chapter 2.2.5 describes how to do this.

2.2.5 Adding the provider certificate to the CP

Add the provider certificate to the CP.

Instructions for the CP 1543-1

1. In the device or network view, select the CP 1543-1. The Inspector window displays the CP 1543-1 properties.

2. In the area navigation of the "Properties" tab, go to "Security" and select the "Certificate manager" item to add the provider certificate to the CP 1543-1.

3. In "Certificates of the partner devices", add the "Telekom Root CA 2" certificate. The ID is the certificate number. Enter this value in the connection parameters for the "TLSServerCertRef" parameter.

2

3

Page 18: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

2 Engineering

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 18

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

Instructions for the CP 1243-1

1. In the device or network view, select the CP 1243-1. The Inspector window displays the CP 1243-1 properties.

2. In the area navigation of the "Properties" tab, go to "Security" and select the "Certificate manager" item to add the provider certificate to the CP 1243-1.

3. In "Trustworthy client certificates", add the "Telekom Root CA 2" certificate. The ID is the certificate number. Enter this value in the connection parameters for the "TLSServerCertRef" parameter.

23

Page 19: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

2 Engineering

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 19

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

2.2.6 Connecting the CP to the Internet

Connect the Ethernet interface of the CP to the router that establishes the connection to the Internet (e.g., a DSL router).

In the hardware configuration, set the IP address and subnet mask of the CP and the router address.

Instructions

1. In the network or device view, select the CP. The Inspector window displays the CP properties.

2. In the area navigation of the "Properties" tab, go to "Ethernet interface [X1]" and select the "Ethernet addresses" item.

3. Make the following settings:

– IP address and subnet mask of the CP

– Internal IP address of the DSL router

2

3

Note The IP address of the CP and the internal IP address of the DSL router must be in the same IP subnet.

2.2.7 Configuring the DNS server

The "TMAIL_C" instruction for sending an e-mail from the STEP 7 program can address the SMTP server via different data structures.

The "TMail_FQDN" and "TMail_QDN_SEC" data structures address the SMTP server in a fully qualified manner by the SMTP server name. If you are using these data structures, you need to configure your DSL router as a DNS server.

Page 20: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

2 Engineering

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 20

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

Instructions

1. In the network or device view, select the CP. The Inspector window displays the CP properties.

2. In the area navigation of the "Properties" tab, select the "DNS configuration" item.

3. In Server list, add the internal IP address of the DSL router as the DNS server address.

2

3

2.2.8 Parameterizing the TMail system data types in STEP 7 (TIA Portal)

Depending on the use case, the following system data types are available for parameterizing a secure e-mail connection on the "TMAIL_C" instruction:

"TMail_V4_SEC"

"TMail_V6_SEC"

"TMail_QDN_SEC"

The following sections explain the parameters of the "TMail_QDN_SEC" and "TMail_V4_SEC" system data types.

For an overview of all system data types, see Chapter 3.1.

Page 21: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

2 Engineering

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 21

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

Parameterizing the "TMail_QDN_SEC" system data type

With the "TMail_QDN_SEC" system data type, the e-mail server is addressed by its fully qualified domain name (FQDN).

Table 2-3

Parameter Data type Value Description

InterfaceId LADDR 261 Hardware identifier of the Ethernet interface of the CP 1543-1 (see Chapter 2.2.11)

ID CONN_OUC 1 Connection ID

Connectiontype BYTE 16#22 Connection type

For FQDN, select 16#22 as the connection type.

ActiveEstablishment BOOL true Active or passive connection establishment. As the CP is always the SMTP client, this parameter must be set to "true".

WatchDogTime TIME T#1m Time monitoring of execution. Use this parameter to define the maximum duration of sending.

MailServerQDN STRING[254] For example:

'smtp@provider. com'

FQDN (fully qualified domain name) of the e-mail server from which you want to send an e-mail to a recipient.

UserName STRING[254] For example:

'myUserName'

With the user name and password, the user identifies himself to the e-mail service provider as the owner of the e-mail account (authentication method: AUTH-LOGIN).

PassWord STRING[254] For example:

'myUserPassWord'

From EMAIL_ADDR - Sender address of the e-mail that is defined by the following two STRING parameters.

LocalPartPlusAtSign STRING[64] For example:

'myName@'

Local part of the sender address, including @ sign

FullQualifiedDomainName

STRING[254] For example:

'provider.com'

FQDN (fully qualified domain name) of the e-mail server

Page 22: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

2 Engineering

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 22

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

Parameter Data type Value Description

RemotePort UINT 587 TCP port of the e-mail server

Range of values:

25 (non-secure)

465 (secure)

587 (secure)

ActivateSecureConn BOOL true True = secure SMTP connection

False = non-secure SMTP connection. In this case, the following parameters are irrelevant.

ExtTLSCapabilities BYTE 16#0 Range of values: 16#0, 16#1

16#1: The alternative subject is checked in the server's certificate. The IP address or DNS name entered in it must match the server's IP address or DNS name.

TLSServerCertRef UDINT 16#10 Number of the certificate of the provider that was assigned in the certificate manager of STEP 7 V14 (see Chapter 2.2.5)

Page 23: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

2 Engineering

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 23

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

Parameterizing the "TMail_v4_SEC" system data type

With the "TMail_v4_SEC" system data type, the email server is addressed by the IP address according to IPv4.

Table 2-4

Parameter Data type Value Description

InterfaceId LADDR 261 Hardware identifier of the Ethernet interface of the CP 1543-1 (see Chapter 2.2.11)

ID CONN_OUC 1 Connection ID

Connectiontype BYTE 16#20 Connection type

For IPv4, select 16#20 as the connection type.

ActiveEstablishment BOOL true Active/passive connection establishment. As the CP is always the SMTP client, this parameter must be set to "1".

WatchDogTime TIME T#1m Time monitoring of execution. Use this parameter to define the maximum duration of sending.

MailServerAddress IP_V4 For example:

213.165.67.108

IPv4 IP address of the e-mail server from which you want to send an e-mail.

UserName STRING[254] For example:

'myUserName'

With the user name and password, the user identifies himself to the e-mail service provider as the owner of the e-mail account (authentication method: AUTH-LOGIN).

PassWord STRING[254] For example:

'myUserPassWord'

From EMAIL_ADDR - Sender address of the e-mail that is defined by the following two STRING parameters.

LocalPartPlusAtSign STRING[64] For example:

'myName@'

Local part of the sender address, including @ sign

FullQualifiedDomainName

STRING[254] For example:

'provider.com'

FQDN (fully qualified domain name) of the e-mail server

Page 24: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

2 Engineering

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 24

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

Parameter Data type Value Description

RemotePort UINT 587 TCP port of the e-mail server

Range of values:

25 (non-secure)

465 (secure)

587 (secure)

ActivateSecureConn BOOL true True = secure SMTP connection

False = non-secure SMTP connection. In this case, the following parameters are irrelevant.

ExtTLSCapabilities BYTE 16#0 Range of values: 16#0, 16#1

16#1: The alternative subject is checked in the server's certificate. The IP address or DNS name entered in it must match the server's IP address or DNS name.

TLSServerCertRef UDINT 16#10 Number of the certificate of the provider that was assigned in the certificate manager of STEP 7 V14 (see Chapter 2.2.5)

Page 25: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

2 Engineering

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 25

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

2.2.9 Parameterizing the "TMAIL_C" instruction

Call the "TMAIL_C" instruction cyclically in the user program of the S7-1500 or S7 1200 CPU. The "TMAIL_C" instruction can be found in the "Instructions" task card in "Communication > Open user communication".

The following figure shows the call of the "TMAIL_C" instruction in the user program.

Figure 2-3

Input parameter

The following table shows the input parameters of the "TMAIL_C" instruction.

Table 2-5

Input parameter Data type Description

REQ Bool Control parameter

The REQ input parameter enables the sending of an e-mail in the case of a rising edge.

TO_S String Recipient address

String with a maximum length of 240 characters (bytes).

SUBJECT String The e-mail's subject line

String with a maximum length of 240 characters (bytes).

TEXT String Text of the e-mail

String with a maximum length of 240 characters (bytes). If an empty string is assigned at this parameter, the e-mail will be sent without text.

MAIL_ADDR_PARAM Variant Connection parameter:

Parameter of the connection and address of the e-mail server (see Chapter 2.2.8)

Page 26: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

2 Engineering

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 26

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

Output parameter

The following table shows the output parameters of the "TMAIL_C" instruction.

Table 2-6

Output parameter Data type Description

DONE Bool Status parameter

DONE = 0: Job has not yet started or is still running.

DONE = 1: Job completed without errors.

BUSY Bool Status parameter

BUSY = 0: Processing of TMAIL_C is complete.

BUSY = 1: Sending the email is not yet complete.

ERROR Bool Status parameter

ERROR = 0: No error has occurred

ERROR = 1: An error has occurred while processing. STATUS provides detailed information about the error type.

STATUS Word Status parameter

Return value or error information of the "TMAIL_C" instruction

Page 27: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

2 Engineering

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 27

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

2.2.10 Setting the S7 CPU's time

As a certificate always includes a period for which it is valid, the time of the S7 CPU that wants to encrypt with this certificate must be within this period.

For an S7 CPU straight from the factory or after a general reset of the S7 CPU, the internal clock is set to a default that falls outside the certificate's validity interval. In this case, the certificate is marked as invalid.

One option is to set the time manually. Proceed as follows:

1. In the project tree, go to the device folder of the S7 CPU and select the "Online & diagnostics" item. The "Online & diagnostics" view opens.

Page 28: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

2 Engineering

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 28

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

2. Click the "Go online" button.

3. In "Functions > Set time", set the time by applying the module time from the PG/PC:

– Enable the "Take from PG/PC" function.

– Click the "Apply" button.

Page 29: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

2 Engineering

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 29

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

2.2.11 Determining the CP's hardware identifier

In the hardware configuration, determine the CP's hardware identifier.

Instructions

1. In the network or device view, select the CP. The Inspector window displays the CP properties.

2. In the area navigation of the "Properties" tab, go to "Ethernet interface [X1]" and select the "Hardware identifier" item to view the hardware identifier of the CP 1543-1.

Page 30: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

3 Valuable Information

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 30

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

3 Valuable Information

3.1 SMTP servers and ports of providers

The following table shows the SMTP servers and ports of some providers.

Table 3-1

Provider SMTP server Port

Web.de smtp.web.de 587

GMX mail.gmx.de 587

T-Online securesmtp.t-online.de 587, 465

Gmail smtp.google.com 587, 465

Note To determine the SMTP server's IP address, ping the SMTP server from a PG/PC. Enter the ping command, for example, "ping smtp.web.de" in the Command Prompt window.

3.2 Overview of the system data types of "TMAIL_C"

The following table provides an overview of all system data types of the "TMAIL_C" instruction.

Table 3-2

System data type STEP 7 V13 STEP 7 V14 SMTP (S) ports

Secure connection (SNMP over

TSL)l

Non-secure connection

Secure connection (SNMP over

TSL)l

Non-secure connection

"TMail_V4" Cannot be set

"TMail_V6" Cannot be set

"TMail_FQDN" Cannot be set

"TMail_V4_SEC" Can be set

"TMail_V6_SEC" Can be set

"TMail_QDN_SEC" Can be set

"TMail_C" instruction

V3.0 V4.0

"Open user communication" library

V4.1 V5.0

Page 31: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

3 Valuable Information

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 31

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

For STEP 7 V14 or higher, the "TMail_V4_SEC", "TMail_V6_SEC" or "TMAIL_QDN_SEC" system data types are supported by the following components:

CP 1543-1 V2.0 or higher

CP 1542SP-1 IRC V1.0 or higher

CP 1543SP-1 V1.0 or higher

CP 1243-1 V2.1 or higher

CP 1242-7 GPRS V2.1 or higher

CP 1243-7 LTE V2.1 or higher

CP 1243-8 V2.1 or higher

3.3 Alternative solutions

This chapter shows you how to establish a secure connection to a mail server in STEP 7 V13 using the "TMAIL_C" instruction.

3.3.1 Integrating certificates into STEP 7 V13

In STEP 7 V13, insert the provider's certificate. In this application example, we insert the "Telekom Root CA 2" certificate:

1. To log the security user in to the global security settings with user name and password, proceed as follows: In the project tree, go to "Global security settings" and double-click the "User login" item. If a security user has not yet been created, create a new one. The login of the security user is required to insert the provider's certificate in the certificate manager.

Page 32: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

3 Valuable Information

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 32

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

2. To open the certificate manager in the workspace, proceed as follows: In the project tree, go to "Global security settings" and double-click the "Certificate manager" item.

3. In the "Trusted certificates and root certification authorities" tab, import, for example, the "Telekom Root CA 2" certificate.

Page 33: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

3 Valuable Information

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 33

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

3.3.2 Configuring the CP 1543-1 in STEP 7 V13

1. Connect the CP 1543-1 to the Internet (see Chapter 2.2.6).

2. Configure the DNS server (see Chapter 2.2.7).

3. Set the S7-1500 CPU's time (see Chapter 2.2.10).

4. In the area navigation of the "Properties" tab, select the "Security" item and enable the "Activate security features" function.

3.3.3 Setting up a secure connection to an e-mail server in STEP 7 V13

Depending on the use case, the following system data types are available for parameterizing a secure e-mail connection on the "TMAIL_C" instruction:

"TMail_V4"

"TMail_V6"

"TMail_FQDN"

The following sections explain the parameters of the "TMail_FQDN" and "TMail_V4" system data types.

Parameterizing the "TMail_FQDN" system data type

With the "TMail_FQDN" system data type, the email server is addressed by its fully qualified domain name (FQDN). The destination port cannot be set. The following table shows the structure of the "TMail_FQDN" system data type.

Page 34: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

3 Valuable Information

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 34

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

Table 3-3

Parameter Data type Value Description

InterfaceId LADDR 261 Hardware identifier of the Ethernet interface of the CP 1543-1 (see Chapter 2.2.11)

ID CONN_OUC 1 Connection ID

Connectiontype BYTE 16#22 Connection type

For FQDN, select 16#22 as the connection type.

ActiveEstablishment BOOL - Status bit

When the connection has been established, the status bit is set to "1".

CertIndex BYTE 16#1 Set the "CertIndex" parameter = 1. This specifies that a secure e-mail connection is being set up.

WatchDogTime TIME T#1m Time monitoring of execution. Use this parameter to define the maximum duration of sending.

MailServerQDN STRING[254] For example:

'smtp@provider. com'

FQDN (fully qualified domain name) of the e-mail server from which you want to send an email.

UserName STRING[254] For example:

'myUserName'

With the user name and password, the user identifies himself to the e-mail service provider as the owner of the e-mail account.

PassWord STRING[254] For example:

'myUserPassWord'

From EMAIL_ADDR - Sender address of the e-mail that is defined by the following two STRING parameters.

LocalPartPlusAtSign STRING[64] For example:

'myName@'

Local part of the sender address, including @ sign

FullQualifiedDomainName

STRING[254] For example:

'provider.com'

FQDN (fully qualified domain name) of the e-mail server.

Page 35: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

3 Valuable Information

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 35

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

Parameterizing the "TMail_V4" system data type

With the "TMail_V4" system data type, the email server is addressed by the IP address according to IPv4. The destination port cannot be set. The following table shows the structure of the "TMail_V4" system data type.

Table 3-4

Parameter Data type Value Description

InterfaceId LADDR 261 Hardware identifier of the Ethernet interface of the CP 1543-1 (see Chapter 2.2.11)

ID CONN_OUC 1 Connection ID

Connectiontype BYTE 16#20 Connection type

For IPv4, select 16#20 as the connection type.

ActiveEstablishment BOOL - Status bit

When the connection has been established, the status bit is set to "1".

CertIndex BYTE 16#1 Set the "CertIndex" parameter = 1. By setting the "CertIndex" parameter = 1, you specify that a secure e-mail connection will be set up.

WatchDogTime TIME T#1m Time monitoring of execution. Use this parameter to define the maximum duration of sending.

MailServerAddress IP_V4 For example:

213.165.67.108

IPv4 IP address of the e-mail server from which you want to send an email.

UserName STRING[254] For example:

'myUserName'

With the user name and password, the user identifies himself to the e-mail service provider as the owner of the e-mail account.

PassWord STRING[254] For example:

'myUserPassWord'

Page 36: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

3 Valuable Information

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 36

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

Parameter Data type Value Description

From EMAIL_ADDR - Sender address of the e-mail that is defined by the following two STRING parameters.

LocalPartPlusAtSign STRING[64] For example:

'myName@'

Local part of the sender address, including @ sign

FullQualifiedDomainName

STRING[254] For example:

'provider.com'

FQDN (fully qualified domain name) of the e-mail server.

Parameterizing the "TMAIL_C" instruction

In the user program of the S7 CPU, call the "TMAIL_C" instruction with one of the system types, "TMail_V4", "TMail_V6" or "TMail_FQDN", (see Chapter 2.2.9).

Page 37: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

4 Appendix

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 37

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

4 Appendix

4.1 Service and support

Industry Online Support

Do you have any questions or do you need support?

With Industry Online Support, our complete service and support know-how and services are available to you 24/7.

Industry Online Support is the place to go to for information about our products, solutions and services.

Product Information, Manuals, Downloads, FAQs and Application Examples – all the information can be accessed with just a few clicks: https://support.industry.siemens.com

Technical Support

Siemens Industry’s Technical Support offers you fast and competent support for any technical queries you may have, including numerous tailor-made offerings ranging from basic support to custom support contracts.

You can use the web form below to send queries to Technical Support: www.siemens.com/industry/supportrequest.

Service offer

Our service offer includes the following services:

Product Training

Plant Data Services

Spare Part Services

Repair Services

Field & Maintenance Services

Retrofit & Modernization Services

Service Programs & Agreements

For detailed information about our service offer, please refer to the Service Catalog: https://support.industry.siemens.com/cs/sc

Industry Online Support app

The "Siemens Industry Online Support" app provides you with optimum support while on the go. The app is available for Apple iOS, Android and Windows Phone: https://support.industry.siemens.com/cs/ww/en/sc/2067

Page 38: Sending Emails over Secure Email Connections with S7 … · Sending Emails over Secure Email Connections with S7-1500 and ... Establishing Secure Connection to ... GeoTrust Global

4 Appendix

Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 38

S

iem

en

s A

G 2

01

7 A

ll ri

gh

ts r

ese

rve

d

4.2 Links and literature

Table 4-1

No. Topic

\1\ Siemens Industry Online Support

https://support.industry.siemens.com

\2\ Link to this entry page of this application example

https://support.industry.siemens.com/cs/ww/en/view/46817803

\3\ SIMATIC STEP 7 Professional V14.0

https://support.industry.siemens.com/cs/ww/en/view/109742272

4.3 Change documentation

Table 4-2

Version Date Modifications

V1.0 06/2017 First version