Sending Emails over Secure Email Connections with S7-1500 and S7-1200
CP 1543-1, CP 1243-1 STEP 7 V14, TMAIL_C
https://support.industry.siemens.com/cs/ww/en/view/46817803
Siemens Industry Online Support
Warranty and Liability
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 2
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
Warranty and Liability
Note The Application Examples are not binding and do not claim to be complete regarding the circuits shown, equipping and any eventuality. The Application Examples do not represent customer-specific solutions. They are only intended to provide support for typical applications. You are responsible for ensuring that the described products are used correctly. These Application Examples do not relieve you of the responsibility to use safe practices in application, installation, operation and maintenance. When using these Application Examples, you recognize that we cannot be made liable for any damage/claims beyond the liability clause described. We reserve the right to make changes to these Application Examples at any time without prior notice. If there are any deviations between the recommendations provided in these Application Examples and other Siemens publications – e.g. Catalogs – the contents of the other documents have priority.
We do not accept any liability for the information contained in this document. Any claims against us – based on whatever legal reason – resulting from the use of the examples, information, programs, engineering and performance data etc., described in this Application Example shall be excluded. Such an exclusion shall not apply in the case of mandatory liability, e.g. under the German Product Liability Act (“Produkthaftungsgesetz”), in case of intent, gross negligence, or injury of life, body or health, guarantee for the quality of a product, fraudulent concealment of a deficiency or breach of a condition which goes to the root of the contract (“wesentliche Vertragspflichten”). The damages for a breach of a substantial contractual obligation are, however, limited to the foreseeable damage, typical for the type of contract, except in the event of intent or gross negligence or injury to life, body or health. The above provisions do not imply a change of the burden of proof to your detriment. Any form of duplication or distribution of these Application Examples or excerpts hereof is prohibited without the expressed consent of the Siemens AG.
Security informa-tion
Siemens provides products and solutions with industrial security functions that support the secure operation of plants, systems, machines and networks. In order to protect plants, systems, machines and networks against cyber threats, it is necessary to implement – and continuously maintain – a holistic, state-of-the-art industrial security concept. Siemens’ products and solutions only form one element of such a concept. Customer is responsible to prevent unauthorized access to its plants, systems, machines and networks. Systems, machines and components should only be connected to the enterprise network or the internet if and to the extent necessary and with appropriate security measures (e.g. use of firewalls and network segmentation) in place. Additionally, Siemens’ guidance on appropriate security measures should be taken into account. For more information about industrial security, please visit http://www.siemens.com/industrialsecurity.
Siemens’ products and solutions undergo continuous development to make them more secure. Siemens strongly recommends to apply product updates as soon as available and to always use the latest product versions. Use of product versions that are no longer supported, and failure to apply latest updates may increase customer’s exposure to cyber threats. To stay informed about product updates, subscribe to the Siemens Industrial Security RSS Feed under http://www.siemens.com/industrialsecurity.
Table of Contents
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 3
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
Table of Contents Warranty and Liability ................................................................................................. 2
1 Introduction ........................................................................................................ 4
1.1 Overview............................................................................................... 4 1.2 Mode of operation ................................................................................ 4 1.3 Components used ................................................................................ 5
2 Engineering ........................................................................................................ 6
2.1 Hardware configuration ........................................................................ 6 2.2 Configuration and parameterization ..................................................... 6 2.2.1 Determining and downloading the provider's certificate....................... 6 2.2.2 Allowing email account access by CP .................................................. 9 2.2.3 Activating the security features in the CP .......................................... 11 2.2.4 Importing the provider certificate into STEP 7 (TIA Portal) ................ 15 2.2.5 Adding the provider certificate to the CP ............................................ 17 2.2.6 Connecting the CP to the Internet ...................................................... 19 2.2.7 Configuring the DNS server ............................................................... 19 2.2.8 Parameterizing the TMail system data types in STEP 7 (TIA
Portal) ................................................................................................. 20 2.2.9 Parameterizing the "TMAIL_C" instruction ......................................... 25 2.2.10 Setting the S7 CPU's time .................................................................. 27 2.2.11 Determining the CP's hardware identifier ........................................... 29
3 Valuable Information ....................................................................................... 30
3.1 SMTP servers and ports of providers ................................................. 30 3.2 Overview of the system data types of "TMAIL_C" ............................. 30 3.3 Alternative solutions ........................................................................... 31 3.3.1 Integrating certificates into STEP 7 V13 ............................................ 31 3.3.2 Configuring the CP 1543-1 in STEP 7 V13 ........................................ 33 3.3.3 Setting up a secure connection to an e-mail server in STEP 7
V13 ..................................................................................................... 33
4 Appendix .......................................................................................................... 37
4.1 Service and support ........................................................................... 37 4.2 Links and literature ............................................................................. 38 4.3 Change documentation ...................................................................... 38
1 Introduction
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 4
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
1 Introduction
1.1 Overview
Sending e-mails is used as the default mechanism for transmitting error conditions or warnings from industrial plants to a control center or operating staff. The SIMATIC S7 product range includes products that support this protocol.
Nowadays, for security reasons, most email servers only support secure connections. Therefore, the secure email connection method has been added to communications processors that support the "Send e-mail" function.
This application example shows you how to set up a secure connection (SNMP over TLS) to an e-mail server with the CP 1543-1 in an S7-1500 station.
1.2 Mode of operation
The following figure shows the most important correlations between the components involved and steps that are necessary to set up a secure connection (SNMP over TSL) to an e-mail server.
Figure 1-1
Email service provider
SMTP server
Certificate Storeidx Cert_Name
STEP 7 (TIA Portal)
S7-1500/S7-1200
Cert_xy
Cert_xy1
TMAIL_C
SMTP over TSL
Engineering
Tmail
parameter
Email account:
• User name
• Password
1
2
3
4
1 Introduction
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 5
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
Table 1-1
Step Description
1 Determine the certificate of your e-mail service provider. In the e-mail account, allow the communications processor (CP) to access the e-mail account via SMTP or SMTPS.
2 Import the certificate of your e-mail service provider into STEP 7 (TIA Portal).
3 In the S7-1500 or S7-1200 station, perform the following configuration steps:
Add the certificate that you have imported into STEP 7 (TIA Portal) to the CP
Connect the CP to the Internet
Configure the DNS server
Call and parameterize the "TMAIL_C" instruction in the user program of the S7 CPU
Set the S7 CPU's time
4 Send the e-mail over a secure connection (SNMP over TSL).
1.3 Components used
This application example was created with the following hardware and software components:
Table 1-2
Component No. Article no. Note
CPU 1513-1 PN 1 6ES7513-1AL01-0AB0 Alternatively, you can use any other S7-1500 CPU, an S7-1200 CPU or an ET 200SP CPU.
CP 1543-1 1 6GK7543-1AX00-0XE0 If you are using an S7-1200 CPU, you need one of the following CPs:
CP 1243-1 (6GK7243-1BX30-0XE0)
CP 1242-7 GPRS (6GK7242-7KX31-0XE0)
CP 1243-7 LTE (6GK7243-7KX30-0XE0, 6GK7243-7SX30-0XE0)
CP 1243-8 IRC (6GK7243-8RX30-0XE0)
If you are using an ET 200SP CPU, you need one of the following CPs:
CP 1542SP-1 IRC (6GK7542-6VX00-0XE0)
CP 1543SP-1 (6GK7543-6WX00-0XE0)
This application example consists of the following components:
Table 1-3
Component File name Note
Document 46817803_EMail_with_CP1543-1.pdf -
2 Engineering
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 6
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
2 Engineering
2.1 Hardware configuration
The following figure shows the hardware configuration.
Figure 2-1
Provider (email server)
Control centerPlant
Internet
recipient
(email client)
1 2 3 4
Email account:
• User name
• Password5
The following table shows the IP addresses of the plant's hardware components.
Table 2-1
No. Component IP address Subnet mask
1 CPU 1513-1 PN 192.168.0.1 255.255.255.0
2 CP 1543-1 172.16.43.4 255.255.0.0
3 CPU 1214C 192.168.0.2 255.255.255.0
4 CP 1243-1 172.16.43.5 255.255.0.0
5 DSL router 172.16.0.1 255.255.0.0
2.2 Configuration and parameterization
2.2.1 Determining and downloading the provider's certificate
Overview
A certificate is a public key signed by the owner (in this case: the e-mail service provider) that ensures its authenticity and integrity.
This certificate must first be determined and then downloaded from the provider's website.
Determining the provider's certificate
In this application example, we use an example to demonstrate how to import a certificate with Google's e-mail service, Gmail. Microsoft Internet Explorer is used as the Web browser. Other browsers have different dialogs.
2 Engineering
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 7
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
1. To determine your provider's certificate, log in to your Gmail account.
2. In the Internet Explorer address bar, click the "Security report" icon. The "Website Identification" dialog opens.
3. Click "View certificates". The "Certificate" dialog opens.
4. Open the "Certification Path" tab. It displays the name of the certificate that is used by your provider. Gmail uses the "GeoTrust Global CA" certificate.
2 Engineering
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 8
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
Downloading the provider's certificate
Each provider normally offers the appropriate certificates for download on its website.
As an example, Table 2-2 provides the links to Telekom's and Google's certificates.
Table 2-2
Name of certificate Used by Link
Telekom Root CA 2 Web.de
GMX
Telekom Root CA 2 certificate
GeoTrust Global CA Gmail Use the Windows Console Root to export the certificate (see Figure 2-2). Then you can import the certificate into STEP 7 (TIA Portal).
Requirement The certificate is installed on the PC.
T-TeleSec GlobalRoot Class 3 T-Online T-TeleSec GlobalRoot Class 3
Figure 2-2
2 Engineering
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 9
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
2.2.2 Allowing email account access by CP
In your email account, allow the CP to access your email account via SMTP or SMTPS. These settings differ depending on the provider.
The following instructions show you how to allow the CP to access an email account of the following providers:
GMX
Web.de
T-Online
Gmail
First, log in to your email account.
GMX
1. In the "E-mail" tab, click "Settings".
2. Select "POP3/IMAP demand".
3. Check the "Send and receive e-mails via external program (Outlook, Thunderbird)" check box.
4. Click "Save".
Web.de
1. In the "Inbox" tab, click "Settings".
2. Select "POP3/IMAP demand".
3. Check the "Send and receive e-mails via external program (Outlook, Thunderbird" check box.
4. Click "Save".
T-Online
T-Online allows access of any e-mail clients. The only thing that is necessary is a valid e-mail password.
1. In the "Menu" tab, click "Settings".
2. Select "Passwörter" (Passwords).
3. In "E-mail password - For using an e-mail program ", click "Change e-mail password".
4. In "Set up additional e-mail program of other providers", click "Edit".
5. Specify a password.
2 Engineering
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 10
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
Gmail
1. Click the "Settings" icon.
2. Select the "Settings" context menu.
1
2
3. Open the "Forwarding and POP/IMAP" tab.
4. In "IMAP access", select the "Enable IMAP" function.
2 Engineering
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 11
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
5. Click "Save Changes".
3
5
4
6. Follow the instructions described at the link below: Enabling Third-party Apps in Gmail
2.2.3 Activating the security features in the CP
Activating the security features in the CP requires that a user with sufficient configuration rights be logged in.
A security user is authorized to make global security settings.
Creating a security user and logging the user in to the global security settings
To create a security user and log this user in to the global security settings, follow the instructions below:
1. In the device or network view, select the CP. The Inspector window displays the CP properties.
2. In the area navigation of the "Properties" tab, select the "Security" item to display the CP's security properties in the Inspector window.
2 Engineering
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 12
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
3. Click the "User login" button to create a new security user or log an existing security user in to the global security settings.
2
3
4. If you need to create a new security user, make the following settings in the "Global security settings > User login" dialog:
– Specify a user name and password
– Confirm the password
– Click the "Log in" button to create the security user and log the user in to the global security settings.
2 Engineering
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 13
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
5. To log an existing security user in to the global security settings, make the following settings in the "Global security settings > User login" dialog:
– Enter the security user's user name and password.
– Click the "Log in" button.
6. The successful login of the security user is shown in the "Global security settings > User login" dialog.
2 Engineering
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 14
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
Activating security features
1. In the device or network view, select the CP. The Inspector window displays the CP properties.
2. In the area navigation of the "Properties" tab, select the "Security" item to display the CP's security properties in the Inspector window.
3. Enable the "Activate security features" function.
2
3
2 Engineering
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 15
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
2.2.4 Importing the provider certificate into STEP 7 (TIA Portal)
The provider certificate must be imported into STEP 7 (TIA Portal). This application example imports the "Telekom Root CA 2" certificate into STEP 7 (TIA Portal).
Requirement
The security user must be logged in to the global security settings. This login is required to insert the provider's certificate in the certificate manager.
If necessary, log the security user in to the global security settings as described in the following section:
1. In the project tree, go to "Global security settings" and double-click the "User login" item.
2 Engineering
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 16
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
2. In the STEP 7 (TIA Portal) workspace, enter the security user's user name and password. Click the "Log in" button.
Note Chapter 2.2.3 describes how to create a security user.
Instructions
1. To open the certificate manager in the STEP 7 (TIA Portal) workspace, proceed as follows: In the project tree, go to "Global security settings" and double-click the "Certificate manager" item.
2 Engineering
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 17
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
2. In the "Certificate authority (CA)" tab, import the certificate, for example "Telekom Root CA 2".
3. When you have imported the certificate, for example "Telekom Root CA 2", into STEP 7 (TIA Portal), you must add it to the CP. Chapter 2.2.5 describes how to do this.
2.2.5 Adding the provider certificate to the CP
Add the provider certificate to the CP.
Instructions for the CP 1543-1
1. In the device or network view, select the CP 1543-1. The Inspector window displays the CP 1543-1 properties.
2. In the area navigation of the "Properties" tab, go to "Security" and select the "Certificate manager" item to add the provider certificate to the CP 1543-1.
3. In "Certificates of the partner devices", add the "Telekom Root CA 2" certificate. The ID is the certificate number. Enter this value in the connection parameters for the "TLSServerCertRef" parameter.
2
3
2 Engineering
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 18
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
Instructions for the CP 1243-1
1. In the device or network view, select the CP 1243-1. The Inspector window displays the CP 1243-1 properties.
2. In the area navigation of the "Properties" tab, go to "Security" and select the "Certificate manager" item to add the provider certificate to the CP 1243-1.
3. In "Trustworthy client certificates", add the "Telekom Root CA 2" certificate. The ID is the certificate number. Enter this value in the connection parameters for the "TLSServerCertRef" parameter.
23
2 Engineering
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 19
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
2.2.6 Connecting the CP to the Internet
Connect the Ethernet interface of the CP to the router that establishes the connection to the Internet (e.g., a DSL router).
In the hardware configuration, set the IP address and subnet mask of the CP and the router address.
Instructions
1. In the network or device view, select the CP. The Inspector window displays the CP properties.
2. In the area navigation of the "Properties" tab, go to "Ethernet interface [X1]" and select the "Ethernet addresses" item.
3. Make the following settings:
– IP address and subnet mask of the CP
– Internal IP address of the DSL router
2
3
Note The IP address of the CP and the internal IP address of the DSL router must be in the same IP subnet.
2.2.7 Configuring the DNS server
The "TMAIL_C" instruction for sending an e-mail from the STEP 7 program can address the SMTP server via different data structures.
The "TMail_FQDN" and "TMail_QDN_SEC" data structures address the SMTP server in a fully qualified manner by the SMTP server name. If you are using these data structures, you need to configure your DSL router as a DNS server.
2 Engineering
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 20
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
Instructions
1. In the network or device view, select the CP. The Inspector window displays the CP properties.
2. In the area navigation of the "Properties" tab, select the "DNS configuration" item.
3. In Server list, add the internal IP address of the DSL router as the DNS server address.
2
3
2.2.8 Parameterizing the TMail system data types in STEP 7 (TIA Portal)
Depending on the use case, the following system data types are available for parameterizing a secure e-mail connection on the "TMAIL_C" instruction:
"TMail_V4_SEC"
"TMail_V6_SEC"
"TMail_QDN_SEC"
The following sections explain the parameters of the "TMail_QDN_SEC" and "TMail_V4_SEC" system data types.
For an overview of all system data types, see Chapter 3.1.
2 Engineering
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 21
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
Parameterizing the "TMail_QDN_SEC" system data type
With the "TMail_QDN_SEC" system data type, the e-mail server is addressed by its fully qualified domain name (FQDN).
Table 2-3
Parameter Data type Value Description
InterfaceId LADDR 261 Hardware identifier of the Ethernet interface of the CP 1543-1 (see Chapter 2.2.11)
ID CONN_OUC 1 Connection ID
Connectiontype BYTE 16#22 Connection type
For FQDN, select 16#22 as the connection type.
ActiveEstablishment BOOL true Active or passive connection establishment. As the CP is always the SMTP client, this parameter must be set to "true".
WatchDogTime TIME T#1m Time monitoring of execution. Use this parameter to define the maximum duration of sending.
MailServerQDN STRING[254] For example:
'smtp@provider. com'
FQDN (fully qualified domain name) of the e-mail server from which you want to send an e-mail to a recipient.
UserName STRING[254] For example:
'myUserName'
With the user name and password, the user identifies himself to the e-mail service provider as the owner of the e-mail account (authentication method: AUTH-LOGIN).
PassWord STRING[254] For example:
'myUserPassWord'
From EMAIL_ADDR - Sender address of the e-mail that is defined by the following two STRING parameters.
LocalPartPlusAtSign STRING[64] For example:
'myName@'
Local part of the sender address, including @ sign
FullQualifiedDomainName
STRING[254] For example:
'provider.com'
FQDN (fully qualified domain name) of the e-mail server
2 Engineering
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 22
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
Parameter Data type Value Description
RemotePort UINT 587 TCP port of the e-mail server
Range of values:
25 (non-secure)
465 (secure)
587 (secure)
ActivateSecureConn BOOL true True = secure SMTP connection
False = non-secure SMTP connection. In this case, the following parameters are irrelevant.
ExtTLSCapabilities BYTE 16#0 Range of values: 16#0, 16#1
16#1: The alternative subject is checked in the server's certificate. The IP address or DNS name entered in it must match the server's IP address or DNS name.
TLSServerCertRef UDINT 16#10 Number of the certificate of the provider that was assigned in the certificate manager of STEP 7 V14 (see Chapter 2.2.5)
2 Engineering
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 23
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
Parameterizing the "TMail_v4_SEC" system data type
With the "TMail_v4_SEC" system data type, the email server is addressed by the IP address according to IPv4.
Table 2-4
Parameter Data type Value Description
InterfaceId LADDR 261 Hardware identifier of the Ethernet interface of the CP 1543-1 (see Chapter 2.2.11)
ID CONN_OUC 1 Connection ID
Connectiontype BYTE 16#20 Connection type
For IPv4, select 16#20 as the connection type.
ActiveEstablishment BOOL true Active/passive connection establishment. As the CP is always the SMTP client, this parameter must be set to "1".
WatchDogTime TIME T#1m Time monitoring of execution. Use this parameter to define the maximum duration of sending.
MailServerAddress IP_V4 For example:
213.165.67.108
IPv4 IP address of the e-mail server from which you want to send an e-mail.
UserName STRING[254] For example:
'myUserName'
With the user name and password, the user identifies himself to the e-mail service provider as the owner of the e-mail account (authentication method: AUTH-LOGIN).
PassWord STRING[254] For example:
'myUserPassWord'
From EMAIL_ADDR - Sender address of the e-mail that is defined by the following two STRING parameters.
LocalPartPlusAtSign STRING[64] For example:
'myName@'
Local part of the sender address, including @ sign
FullQualifiedDomainName
STRING[254] For example:
'provider.com'
FQDN (fully qualified domain name) of the e-mail server
2 Engineering
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 24
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
Parameter Data type Value Description
RemotePort UINT 587 TCP port of the e-mail server
Range of values:
25 (non-secure)
465 (secure)
587 (secure)
ActivateSecureConn BOOL true True = secure SMTP connection
False = non-secure SMTP connection. In this case, the following parameters are irrelevant.
ExtTLSCapabilities BYTE 16#0 Range of values: 16#0, 16#1
16#1: The alternative subject is checked in the server's certificate. The IP address or DNS name entered in it must match the server's IP address or DNS name.
TLSServerCertRef UDINT 16#10 Number of the certificate of the provider that was assigned in the certificate manager of STEP 7 V14 (see Chapter 2.2.5)
2 Engineering
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 25
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
2.2.9 Parameterizing the "TMAIL_C" instruction
Call the "TMAIL_C" instruction cyclically in the user program of the S7-1500 or S7 1200 CPU. The "TMAIL_C" instruction can be found in the "Instructions" task card in "Communication > Open user communication".
The following figure shows the call of the "TMAIL_C" instruction in the user program.
Figure 2-3
Input parameter
The following table shows the input parameters of the "TMAIL_C" instruction.
Table 2-5
Input parameter Data type Description
REQ Bool Control parameter
The REQ input parameter enables the sending of an e-mail in the case of a rising edge.
TO_S String Recipient address
String with a maximum length of 240 characters (bytes).
SUBJECT String The e-mail's subject line
String with a maximum length of 240 characters (bytes).
TEXT String Text of the e-mail
String with a maximum length of 240 characters (bytes). If an empty string is assigned at this parameter, the e-mail will be sent without text.
MAIL_ADDR_PARAM Variant Connection parameter:
Parameter of the connection and address of the e-mail server (see Chapter 2.2.8)
2 Engineering
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 26
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
Output parameter
The following table shows the output parameters of the "TMAIL_C" instruction.
Table 2-6
Output parameter Data type Description
DONE Bool Status parameter
DONE = 0: Job has not yet started or is still running.
DONE = 1: Job completed without errors.
BUSY Bool Status parameter
BUSY = 0: Processing of TMAIL_C is complete.
BUSY = 1: Sending the email is not yet complete.
ERROR Bool Status parameter
ERROR = 0: No error has occurred
ERROR = 1: An error has occurred while processing. STATUS provides detailed information about the error type.
STATUS Word Status parameter
Return value or error information of the "TMAIL_C" instruction
2 Engineering
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 27
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
2.2.10 Setting the S7 CPU's time
As a certificate always includes a period for which it is valid, the time of the S7 CPU that wants to encrypt with this certificate must be within this period.
For an S7 CPU straight from the factory or after a general reset of the S7 CPU, the internal clock is set to a default that falls outside the certificate's validity interval. In this case, the certificate is marked as invalid.
One option is to set the time manually. Proceed as follows:
1. In the project tree, go to the device folder of the S7 CPU and select the "Online & diagnostics" item. The "Online & diagnostics" view opens.
2 Engineering
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 28
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
2. Click the "Go online" button.
3. In "Functions > Set time", set the time by applying the module time from the PG/PC:
– Enable the "Take from PG/PC" function.
– Click the "Apply" button.
2 Engineering
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 29
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
2.2.11 Determining the CP's hardware identifier
In the hardware configuration, determine the CP's hardware identifier.
Instructions
1. In the network or device view, select the CP. The Inspector window displays the CP properties.
2. In the area navigation of the "Properties" tab, go to "Ethernet interface [X1]" and select the "Hardware identifier" item to view the hardware identifier of the CP 1543-1.
3 Valuable Information
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 30
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
3 Valuable Information
3.1 SMTP servers and ports of providers
The following table shows the SMTP servers and ports of some providers.
Table 3-1
Provider SMTP server Port
Web.de smtp.web.de 587
GMX mail.gmx.de 587
T-Online securesmtp.t-online.de 587, 465
Gmail smtp.google.com 587, 465
Note To determine the SMTP server's IP address, ping the SMTP server from a PG/PC. Enter the ping command, for example, "ping smtp.web.de" in the Command Prompt window.
3.2 Overview of the system data types of "TMAIL_C"
The following table provides an overview of all system data types of the "TMAIL_C" instruction.
Table 3-2
System data type STEP 7 V13 STEP 7 V14 SMTP (S) ports
Secure connection (SNMP over
TSL)l
Non-secure connection
Secure connection (SNMP over
TSL)l
Non-secure connection
"TMail_V4" Cannot be set
"TMail_V6" Cannot be set
"TMail_FQDN" Cannot be set
"TMail_V4_SEC" Can be set
"TMail_V6_SEC" Can be set
"TMail_QDN_SEC" Can be set
"TMail_C" instruction
V3.0 V4.0
"Open user communication" library
V4.1 V5.0
3 Valuable Information
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 31
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
For STEP 7 V14 or higher, the "TMail_V4_SEC", "TMail_V6_SEC" or "TMAIL_QDN_SEC" system data types are supported by the following components:
CP 1543-1 V2.0 or higher
CP 1542SP-1 IRC V1.0 or higher
CP 1543SP-1 V1.0 or higher
CP 1243-1 V2.1 or higher
CP 1242-7 GPRS V2.1 or higher
CP 1243-7 LTE V2.1 or higher
CP 1243-8 V2.1 or higher
3.3 Alternative solutions
This chapter shows you how to establish a secure connection to a mail server in STEP 7 V13 using the "TMAIL_C" instruction.
3.3.1 Integrating certificates into STEP 7 V13
In STEP 7 V13, insert the provider's certificate. In this application example, we insert the "Telekom Root CA 2" certificate:
1. To log the security user in to the global security settings with user name and password, proceed as follows: In the project tree, go to "Global security settings" and double-click the "User login" item. If a security user has not yet been created, create a new one. The login of the security user is required to insert the provider's certificate in the certificate manager.
3 Valuable Information
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 32
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
2. To open the certificate manager in the workspace, proceed as follows: In the project tree, go to "Global security settings" and double-click the "Certificate manager" item.
3. In the "Trusted certificates and root certification authorities" tab, import, for example, the "Telekom Root CA 2" certificate.
3 Valuable Information
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 33
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
3.3.2 Configuring the CP 1543-1 in STEP 7 V13
1. Connect the CP 1543-1 to the Internet (see Chapter 2.2.6).
2. Configure the DNS server (see Chapter 2.2.7).
3. Set the S7-1500 CPU's time (see Chapter 2.2.10).
4. In the area navigation of the "Properties" tab, select the "Security" item and enable the "Activate security features" function.
3.3.3 Setting up a secure connection to an e-mail server in STEP 7 V13
Depending on the use case, the following system data types are available for parameterizing a secure e-mail connection on the "TMAIL_C" instruction:
"TMail_V4"
"TMail_V6"
"TMail_FQDN"
The following sections explain the parameters of the "TMail_FQDN" and "TMail_V4" system data types.
Parameterizing the "TMail_FQDN" system data type
With the "TMail_FQDN" system data type, the email server is addressed by its fully qualified domain name (FQDN). The destination port cannot be set. The following table shows the structure of the "TMail_FQDN" system data type.
3 Valuable Information
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 34
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
Table 3-3
Parameter Data type Value Description
InterfaceId LADDR 261 Hardware identifier of the Ethernet interface of the CP 1543-1 (see Chapter 2.2.11)
ID CONN_OUC 1 Connection ID
Connectiontype BYTE 16#22 Connection type
For FQDN, select 16#22 as the connection type.
ActiveEstablishment BOOL - Status bit
When the connection has been established, the status bit is set to "1".
CertIndex BYTE 16#1 Set the "CertIndex" parameter = 1. This specifies that a secure e-mail connection is being set up.
WatchDogTime TIME T#1m Time monitoring of execution. Use this parameter to define the maximum duration of sending.
MailServerQDN STRING[254] For example:
'smtp@provider. com'
FQDN (fully qualified domain name) of the e-mail server from which you want to send an email.
UserName STRING[254] For example:
'myUserName'
With the user name and password, the user identifies himself to the e-mail service provider as the owner of the e-mail account.
PassWord STRING[254] For example:
'myUserPassWord'
From EMAIL_ADDR - Sender address of the e-mail that is defined by the following two STRING parameters.
LocalPartPlusAtSign STRING[64] For example:
'myName@'
Local part of the sender address, including @ sign
FullQualifiedDomainName
STRING[254] For example:
'provider.com'
FQDN (fully qualified domain name) of the e-mail server.
3 Valuable Information
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 35
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
Parameterizing the "TMail_V4" system data type
With the "TMail_V4" system data type, the email server is addressed by the IP address according to IPv4. The destination port cannot be set. The following table shows the structure of the "TMail_V4" system data type.
Table 3-4
Parameter Data type Value Description
InterfaceId LADDR 261 Hardware identifier of the Ethernet interface of the CP 1543-1 (see Chapter 2.2.11)
ID CONN_OUC 1 Connection ID
Connectiontype BYTE 16#20 Connection type
For IPv4, select 16#20 as the connection type.
ActiveEstablishment BOOL - Status bit
When the connection has been established, the status bit is set to "1".
CertIndex BYTE 16#1 Set the "CertIndex" parameter = 1. By setting the "CertIndex" parameter = 1, you specify that a secure e-mail connection will be set up.
WatchDogTime TIME T#1m Time monitoring of execution. Use this parameter to define the maximum duration of sending.
MailServerAddress IP_V4 For example:
213.165.67.108
IPv4 IP address of the e-mail server from which you want to send an email.
UserName STRING[254] For example:
'myUserName'
With the user name and password, the user identifies himself to the e-mail service provider as the owner of the e-mail account.
PassWord STRING[254] For example:
'myUserPassWord'
3 Valuable Information
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 36
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
Parameter Data type Value Description
From EMAIL_ADDR - Sender address of the e-mail that is defined by the following two STRING parameters.
LocalPartPlusAtSign STRING[64] For example:
'myName@'
Local part of the sender address, including @ sign
FullQualifiedDomainName
STRING[254] For example:
'provider.com'
FQDN (fully qualified domain name) of the e-mail server.
Parameterizing the "TMAIL_C" instruction
In the user program of the S7 CPU, call the "TMAIL_C" instruction with one of the system types, "TMail_V4", "TMail_V6" or "TMail_FQDN", (see Chapter 2.2.9).
4 Appendix
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 37
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
4 Appendix
4.1 Service and support
Industry Online Support
Do you have any questions or do you need support?
With Industry Online Support, our complete service and support know-how and services are available to you 24/7.
Industry Online Support is the place to go to for information about our products, solutions and services.
Product Information, Manuals, Downloads, FAQs and Application Examples – all the information can be accessed with just a few clicks: https://support.industry.siemens.com
Technical Support
Siemens Industry’s Technical Support offers you fast and competent support for any technical queries you may have, including numerous tailor-made offerings ranging from basic support to custom support contracts.
You can use the web form below to send queries to Technical Support: www.siemens.com/industry/supportrequest.
Service offer
Our service offer includes the following services:
Product Training
Plant Data Services
Spare Part Services
Repair Services
Field & Maintenance Services
Retrofit & Modernization Services
Service Programs & Agreements
For detailed information about our service offer, please refer to the Service Catalog: https://support.industry.siemens.com/cs/sc
Industry Online Support app
The "Siemens Industry Online Support" app provides you with optimum support while on the go. The app is available for Apple iOS, Android and Windows Phone: https://support.industry.siemens.com/cs/ww/en/sc/2067
4 Appendix
Establishing Secure Connection to Email Server Entry ID: 46817803, V1.0, 07/2017 38
S
iem
en
s A
G 2
01
7 A
ll ri
gh
ts r
ese
rve
d
4.2 Links and literature
Table 4-1
No. Topic
\1\ Siemens Industry Online Support
https://support.industry.siemens.com
\2\ Link to this entry page of this application example
https://support.industry.siemens.com/cs/ww/en/view/46817803
\3\ SIMATIC STEP 7 Professional V14.0
https://support.industry.siemens.com/cs/ww/en/view/109742272
4.3 Change documentation
Table 4-2
Version Date Modifications
V1.0 06/2017 First version