Vous êtes sur la page 1sur 38

Sending Emails over

Secure Email
Connections with
S7-1500 and S7-1200
Siemens
CP 1543-1, CP 1243-1 STEP 7 V14, TMAIL_C Industry
Online
https://support.industry.siemens.com/cs/ww/en/view/46817803 Support
Warranty and Liability

Warranty and Liability

Note The Application Examples are not binding and do not claim to be complete
regarding the circuits shown, equipping and any eventuality. The Application
Examples do not represent customer-specific solutions. They are only intended
to provide support for typical applications. You are responsible for ensuring that
the described products are used correctly. These Application Examples do not
relieve you of the responsibility to use safe practices in application, installation,
operation and maintenance. When using these Application Examples, you
recognize that we cannot be made liable for any damage/claims beyond the
liability clause described. We reserve the right to make changes to these
Application Examples at any time without prior notice.
If there are any deviations between the recommendations provided in these
Application Examples and other Siemens publications e.g. Catalogs the
contents of the other documents have priority.

We do not accept any liability for the information contained in this document.
Any claims against us based on whatever legal reason resulting from the use of
the examples, information, programs, engineering and performance data etc.,
described in this Application Example shall be excluded. Such an exclusion shall
not apply in the case of mandatory liability, e.g. under the German Product Liability
Act (Produkthaftungsgesetz), in case of intent, gross negligence, or injury of life,
body or health, guarantee for the quality of a product, fraudulent concealment of a
Siemens AG 2017 All rights reserved

deficiency or breach of a condition which goes to the root of the contract


(wesentliche Vertragspflichten). The damages for a breach of a substantial
contractual obligation are, however, limited to the foreseeable damage, typical for
the type of contract, except in the event of intent or gross negligence or injury to
life, body or health. The above provisions do not imply a change of the burden of
proof to your detriment.
Any form of duplication or distribution of these Application Examples or excerpts
hereof is prohibited without the expressed consent of the Siemens AG.

Security Siemens provides products and solutions with industrial security functions that
informa- support the secure operation of plants, systems, machines and networks.
tion In order to protect plants, systems, machines and networks against cyber
threats, it is necessary to implement and continuously maintain a holistic,
state-of-the-art industrial security concept. Siemens products and solutions only
form one element of such a concept.
Customer is responsible to prevent unauthorized access to its plants, systems,
machines and networks. Systems, machines and components should only be
connected to the enterprise network or the internet if and to the extent necessary
and with appropriate security measures (e.g. use of firewalls and network
segmentation) in place.
Additionally, Siemens guidance on appropriate security measures should be
taken into account. For more information about industrial security, please visit
http://www.siemens.com/industrialsecurity.
Siemens products and solutions undergo continuous development to make them
more secure. Siemens strongly recommends to apply product updates as soon
as available and to always use the latest product versions. Use of product
versions that are no longer supported, and failure to apply latest updates may
increase customers exposure to cyber threats.
To stay informed about product updates, subscribe to the Siemens Industrial
Security RSS Feed under http://www.siemens.com/industrialsecurity.

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 2
Table of Contents

Table of Contents
Warranty and Liability ................................................................................................. 2
1 Introduction ........................................................................................................ 4
1.1 Overview............................................................................................... 4
1.2 Mode of operation ................................................................................ 4
1.3 Components used ................................................................................ 5
2 Engineering ........................................................................................................ 6
2.1 Hardware configuration ........................................................................ 6
2.2 Configuration and parameterization ..................................................... 6
2.2.1 Determining and downloading the provider's certificate....................... 6
2.2.2 Allowing email account access by CP .................................................. 9
2.2.3 Activating the security features in the CP .......................................... 11
2.2.4 Importing the provider certificate into STEP 7 (TIA Portal) ................ 15
2.2.5 Adding the provider certificate to the CP ............................................ 17
2.2.6 Connecting the CP to the Internet ...................................................... 19
2.2.7 Configuring the DNS server ............................................................... 19
2.2.8 Parameterizing the TMail system data types in STEP 7 (TIA
Portal) ................................................................................................. 20
2.2.9 Parameterizing the "TMAIL_C" instruction ......................................... 25
2.2.10 Setting the S7 CPU's time .................................................................. 27
2.2.11 Determining the CP's hardware identifier ........................................... 29
Siemens AG 2017 All rights reserved

3 Valuable Information ....................................................................................... 30


3.1 SMTP servers and ports of providers ................................................. 30
3.2 Overview of the system data types of "TMAIL_C" ............................. 30
3.3 Alternative solutions ........................................................................... 31
3.3.1 Integrating certificates into STEP 7 V13 ............................................ 31
3.3.2 Configuring the CP 1543-1 in STEP 7 V13 ........................................ 33
3.3.3 Setting up a secure connection to an e-mail server in STEP 7
V13 ..................................................................................................... 33
4 Appendix .......................................................................................................... 37
4.1 Service and support ........................................................................... 37
4.2 Links and literature ............................................................................. 38
4.3 Change documentation ...................................................................... 38

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 3
1 Introduction

1 Introduction
1.1 Overview
Sending e-mails is used as the default mechanism for transmitting error conditions
or warnings from industrial plants to a control center or operating staff. The
SIMATIC S7 product range includes products that support this protocol.
Nowadays, for security reasons, most email servers only support secure
connections. Therefore, the secure email connection method has been added to
communications processors that support the "Send e-mail" function.
This application example shows you how to set up a secure connection (SNMP
over TLS) to an e-mail server with the CP 1543-1 in an S7-1500 station.

1.2 Mode of operation


The following figure shows the most important correlations between the
components involved and steps that are necessary to set up a secure connection
(SNMP over TSL) to an e-mail server.
Figure 1-1

Engineering Email service provider


Siemens AG 2017 All rights reserved

Cert_xy
STEP 7 (TIA Portal) SMTP server
2

Certificate Store
idx Cert_Name 1
1 Cert_xy

S7-1500/S7-1200 3
SMTP@provider.com

Email account:
User name
SMTP over TSL Password

Tmail
parameter TMAIL_C 4

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 4
1 Introduction

Table 1-1
Step Description
1 Determine the certificate of your e-mail service provider. In the e-mail account,
allow the communications processor (CP) to access the e-mail account via
SMTP or SMTPS.
2 Import the certificate of your e-mail service provider into STEP 7 (TIA Portal).
3 In the S7-1500 or S7-1200 station, perform the following configuration steps:
Add the certificate that you have imported into STEP 7 (TIA Portal) to the
CP
Connect the CP to the Internet
Configure the DNS server
Call and parameterize the "TMAIL_C" instruction in the user program of
the S7 CPU
Set the S7 CPU's time
4 Send the e-mail over a secure connection (SNMP over TSL).

1.3 Components used


This application example was created with the following hardware and software
components:
Table 1-2
Component No. Article no. Note
Siemens AG 2017 All rights reserved

CPU 1513-1 PN 1 6ES7513-1AL01-0AB0 Alternatively, you can use any


other S7-1500 CPU, an S7-
1200 CPU or an ET 200SP
CPU.
CP 1543-1 1 6GK7543-1AX00-0XE0 If you are using an S7-1200
CPU, you need one of the
following CPs:
CP 1243-1
(6GK7243-1BX30-0XE0)
CP 1242-7 GPRS
(6GK7242-7KX31-0XE0)
CP 1243-7 LTE
(6GK7243-7KX30-0XE0,
6GK7243-7SX30-0XE0)
CP 1243-8 IRC
(6GK7243-8RX30-0XE0)
If you are using an ET 200SP
CPU, you need one of the
following CPs:
CP 1542SP-1 IRC
(6GK7542-6VX00-0XE0)
CP 1543SP-1
(6GK7543-6WX00-0XE0)

This application example consists of the following components:


Table 1-3
Component File name Note
Document 46817803_EMail_with_CP1543-1.pdf -

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 5
2 Engineering

2 Engineering
2.1 Hardware configuration
The following figure shows the hardware configuration.
Figure 2-1

Plant Control center

Email
1 2 3 4 recipient
(email client)

Provider (email server)

Email account:
User name
5
Password
Siemens AG 2017 All rights reserved

Internet

The following table shows the IP addresses of the plant's hardware components.
Table 2-1
No. Component IP address Subnet mask
1 CPU 1513-1 PN 192.168.0.1 255.255.255.0
2 CP 1543-1 172.16.43.4 255.255.0.0
3 CPU 1214C 192.168.0.2 255.255.255.0
4 CP 1243-1 172.16.43.5 255.255.0.0
5 DSL router 172.16.0.1 255.255.0.0

2.2 Configuration and parameterization


2.2.1 Determining and downloading the provider's certificate

Overview
A certificate is a public key signed by the owner (in this case: the e-mail service
provider) that ensures its authenticity and integrity.
This certificate must first be determined and then downloaded from the provider's
website.

Determining the provider's certificate


In this application example, we use an example to demonstrate how to import a
certificate with Google's e-mail service, Gmail. Microsoft Internet Explorer is used
as the Web browser. Other browsers have different dialogs.

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 6
2 Engineering

1. To determine your provider's certificate, log in to your Gmail account.


2. In the Internet Explorer address bar, click the "Security report" icon. The
"Website Identification" dialog opens.
3. Click "View certificates". The "Certificate" dialog opens.

4. Open the "Certification Path" tab. It displays the name of the certificate that is
used by your provider. Gmail uses the "GeoTrust Global CA" certificate.
Siemens AG 2017 All rights reserved

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 7
2 Engineering

Downloading the provider's certificate


Each provider normally offers the appropriate certificates for download on its
website.
As an example, Table 2-2 provides the links to Telekom's and Google's certificates.
Table 2-2
Name of certificate Used by Link
Telekom Root CA 2 Web.de Telekom Root CA 2 certificate
GMX
GeoTrust Global CA Gmail Use the Windows Console Root
to export the certificate (see
Figure 2-2). Then you can import
the certificate into STEP 7
(TIA Portal).
Requirement
The certificate is installed on the
PC.
T-TeleSec GlobalRoot Class 3 T-Online T-TeleSec GlobalRoot Class 3

Figure 2-2
Siemens AG 2017 All rights reserved

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 8
2 Engineering

2.2.2 Allowing email account access by CP

In your email account, allow the CP to access your email account via SMTP or
SMTPS. These settings differ depending on the provider.
The following instructions show you how to allow the CP to access an email
account of the following providers:
GMX
Web.de
T-Online
Gmail
First, log in to your email account.

GMX
1. In the "E-mail" tab, click "Settings".
2. Select "POP3/IMAP demand".
3. Check the "Send and receive e-mails via external program (Outlook,
Thunderbird)" check box.
4. Click "Save".

Web.de
Siemens AG 2017 All rights reserved

1. In the "Inbox" tab, click "Settings".


2. Select "POP3/IMAP demand".
3. Check the "Send and receive e-mails via external program (Outlook,
Thunderbird" check box.
4. Click "Save".

T-Online
T-Online allows access of any e-mail clients. The only thing that is necessary is a
valid e-mail password.
1. In the "Menu" tab, click "Settings".
2. Select "Passwrter" (Passwords).
3. In "E-mail password - For using an e-mail program ", click "Change e-mail
password".
4. In "Set up additional e-mail program of other providers", click "Edit".
5. Specify a password.

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 9
2 Engineering

Gmail
1. Click the "Settings" icon.
2. Select the "Settings" context menu.

1
Siemens AG 2017 All rights reserved

3. Open the "Forwarding and POP/IMAP" tab.


4. In "IMAP access", select the "Enable IMAP" function.

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 10
2 Engineering

5. Click "Save Changes".

6. Follow the instructions described at the link below:


Enabling Third-party Apps in Gmail
Siemens AG 2017 All rights reserved

2.2.3 Activating the security features in the CP

Activating the security features in the CP requires that a user with sufficient
configuration rights be logged in.
A security user is authorized to make global security settings.

Creating a security user and logging the user in to the global security settings
To create a security user and log this user in to the global security settings, follow
the instructions below:
1. In the device or network view, select the CP. The Inspector window displays
the CP properties.
2. In the area navigation of the "Properties" tab, select the "Security" item to
display the CP's security properties in the Inspector window.

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 11
2 Engineering

3. Click the "User login" button to create a new security user or log an existing
security user in to the global security settings.

4. If you need to create a new security user, make the following settings in the
"Global security settings > User login" dialog:
Specify a user name and password
Confirm the password
Click the "Log in" button to create the security user and log the user in to
the global security settings.
Siemens AG 2017 All rights reserved

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 12
2 Engineering

5. To log an existing security user in to the global security settings, make the
following settings in the "Global security settings > User login" dialog:
Enter the security user's user name and password.
Click the "Log in" button.

6. The successful login of the security user is shown in the "Global security
settings > User login" dialog.
Siemens AG 2017 All rights reserved

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 13
2 Engineering

Activating security features


1. In the device or network view, select the CP. The Inspector window displays
the CP properties.
2. In the area navigation of the "Properties" tab, select the "Security" item to
display the CP's security properties in the Inspector window.
3. Enable the "Activate security features" function.

2
Siemens AG 2017 All rights reserved

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 14
2 Engineering

2.2.4 Importing the provider certificate into STEP 7 (TIA Portal)

The provider certificate must be imported into STEP 7 (TIA Portal). This application
example imports the "Telekom Root CA 2" certificate into STEP 7 (TIA Portal).

Requirement
The security user must be logged in to the global security settings. This login is
required to insert the provider's certificate in the certificate manager.
If necessary, log the security user in to the global security settings as described in
the following section:
1. In the project tree, go to "Global security settings" and double-click the "User
login" item.
Siemens AG 2017 All rights reserved

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 15
2 Engineering

2. In the STEP 7 (TIA Portal) workspace, enter the security user's user name and
password. Click the "Log in" button.

Note Chapter 2.2.3 describes how to create a security user.

Instructions
1. To open the certificate manager in the STEP 7 (TIA Portal) workspace,
Siemens AG 2017 All rights reserved

proceed as follows: In the project tree, go to "Global security settings" and


double-click the "Certificate manager" item.

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 16
2 Engineering

2. In the "Certificate authority (CA)" tab, import the certificate, for example
"Telekom Root CA 2".

3. When you have imported the certificate, for example "Telekom Root CA 2", into
STEP 7 (TIA Portal), you must add it to the CP. Chapter 2.2.5 describes how to
do this.

2.2.5 Adding the provider certificate to the CP

Add the provider certificate to the CP.

Instructions for the CP 1543-1


1. In the device or network view, select the CP 1543-1. The Inspector window
displays the CP 1543-1 properties.
2. In the area navigation of the "Properties" tab, go to "Security" and select the
"Certificate manager" item to add the provider certificate to the CP 1543-1.
3. In "Certificates of the partner devices", add the "Telekom Root CA 2"
certificate. The ID is the certificate number. Enter this value in the connection
Siemens AG 2017 All rights reserved

parameters for the "TLSServerCertRef" parameter.

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 17
2 Engineering

Instructions for the CP 1243-1


1. In the device or network view, select the CP 1243-1. The Inspector window
displays the CP 1243-1 properties.
2. In the area navigation of the "Properties" tab, go to "Security" and select the
"Certificate manager" item to add the provider certificate to the CP 1243-1.
3. In "Trustworthy client certificates", add the "Telekom Root CA 2" certificate.
The ID is the certificate number. Enter this value in the connection parameters
for the "TLSServerCertRef" parameter.

3
2
Siemens AG 2017 All rights reserved

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 18
2 Engineering

2.2.6 Connecting the CP to the Internet

Connect the Ethernet interface of the CP to the router that establishes the
connection to the Internet (e.g., a DSL router).
In the hardware configuration, set the IP address and subnet mask of the CP and
the router address.

Instructions
1. In the network or device view, select the CP. The Inspector window displays
the CP properties.
2. In the area navigation of the "Properties" tab, go to "Ethernet interface [X1]"
and select the "Ethernet addresses" item.
3. Make the following settings:
IP address and subnet mask of the CP
Internal IP address of the DSL router
Siemens AG 2017 All rights reserved

Note The IP address of the CP and the internal IP address of the DSL router must be
in the same IP subnet.

2.2.7 Configuring the DNS server

The "TMAIL_C" instruction for sending an e-mail from the STEP 7 program can
address the SMTP server via different data structures.
The "TMail_FQDN" and "TMail_QDN_SEC" data structures address the SMTP
server in a fully qualified manner by the SMTP server name. If you are using these
data structures, you need to configure your DSL router as a DNS server.

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 19
2 Engineering

Instructions
1. In the network or device view, select the CP. The Inspector window displays
the CP properties.
2. In the area navigation of the "Properties" tab, select the "DNS configuration"
item.
3. In Server list, add the internal IP address of the DSL router as the DNS server
address.

2
3

2.2.8 Parameterizing the TMail system data types in STEP 7 (TIA Portal)

Depending on the use case, the following system data types are available for
Siemens AG 2017 All rights reserved

parameterizing a secure e-mail connection on the "TMAIL_C" instruction:


"TMail_V4_SEC"
"TMail_V6_SEC"
"TMail_QDN_SEC"
The following sections explain the parameters of the "TMail_QDN_SEC" and
"TMail_V4_SEC" system data types.
For an overview of all system data types, see Chapter 3.1.

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 20
2 Engineering

Parameterizing the "TMail_QDN_SEC" system data type


With the "TMail_QDN_SEC" system data type, the e-mail server is addressed by
its fully qualified domain name (FQDN).
Table 2-3
Parameter Data type Value Description
InterfaceId LADDR 261 Hardware identifier of
the Ethernet interface
of the CP 1543-1 (see
Chapter 2.2.11)
ID CONN_OUC 1 Connection ID
Connectiontype BYTE 16#22 Connection type
For FQDN, select
16#22 as the
connection type.
ActiveEstablishment BOOL true Active or passive
connection
establishment. As the
CP is always the SMTP
client, this parameter
must be set to "true".
WatchDogTime TIME T#1m Time monitoring of
execution. Use this
parameter to define the
Siemens AG 2017 All rights reserved

maximum duration of
sending.
MailServerQDN STRING[254] For example: FQDN (fully qualified
'smtp@provider. domain name) of the e-
com' mail server from which
you want to send an
e-mail to a recipient.
UserName STRING[254] For example: With the user name
'myUserName' and password, the user
identifies himself to the
PassWord STRING[254] For example: e-mail service provider
'myUserPassWord' as the owner of the
e-mail account
(authentication method:
AUTH-LOGIN).
From EMAIL_ADDR - Sender address of the
e-mail that is defined
by the following two
STRING parameters.
LocalPartPlusAtSign STRING[64] For example: Local part of the
'myName@' sender address,
including @ sign
FullQualifiedDomain STRING[254] For example: FQDN (fully qualified
Name 'provider.com' domain name) of the
e-mail server

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 21
2 Engineering

Parameter Data type Value Description


RemotePort UINT 587 TCP port of the e-mail
server
Range of values:
25 (non-secure)
465 (secure)
587 (secure)
ActivateSecureConn BOOL true True = secure SMTP
connection
False = non-secure
SMTP connection. In
this case, the following
parameters are
irrelevant.
ExtTLSCapabilities BYTE 16#0 Range of values:
16#0, 16#1
16#1: The alternative
subject is checked in
the server's certificate.
The IP address or
DNS name entered in it
must match the
server's IP address or
DNS name.
TLSServerCertRef UDINT 16#10 Number of the
Siemens AG 2017 All rights reserved

certificate of the
provider that was
assigned in the
certificate manager of
STEP 7 V14
(see Chapter 2.2.5)

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 22
2 Engineering

Parameterizing the "TMail_v4_SEC" system data type


With the "TMail_v4_SEC" system data type, the email server is addressed by the
IP address according to IPv4.
Table 2-4
Parameter Data type Value Description
InterfaceId LADDR 261 Hardware identifier of
the Ethernet interface
of the CP 1543-1 (see
Chapter 2.2.11)
ID CONN_OUC 1 Connection ID
Connectiontype BYTE 16#20 Connection type
For IPv4, select 16#20
as the connection type.
ActiveEstablishment BOOL true Active/passive
connection
establishment. As the
CP is always the
SMTP client, this
parameter must be set
to "1".
WatchDogTime TIME T#1m Time monitoring of
execution. Use this
parameter to define the
Siemens AG 2017 All rights reserved

maximum duration of
sending.
MailServerAddress IP_V4 For example: IPv4 IP address of the
213.165.67.108 e-mail server from
which you want to send
an e-mail.
UserName STRING[254] For example: With the user name
'myUserName' and password, the user
identifies himself to the
PassWord STRING[254] For example: e-mail service provider
'myUserPassWord' as the owner of the e-
mail account
(authentication
method: AUTH-
LOGIN).
From EMAIL_ADDR - Sender address of the
e-mail that is defined
by the following two
STRING parameters.
LocalPartPlusAtSign STRING[64] For example: Local part of the
'myName@' sender address,
including @ sign
FullQualifiedDomain STRING[254] For example: FQDN (fully qualified
Name 'provider.com' domain name) of the
e-mail server

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 23
2 Engineering

Parameter Data type Value Description


RemotePort UINT 587 TCP port of the e-mail
server
Range of values:
25 (non-secure)
465 (secure)
587 (secure)
ActivateSecureConn BOOL true True = secure SMTP
connection
False = non-secure
SMTP connection. In
this case, the following
parameters are
irrelevant.
ExtTLSCapabilities BYTE 16#0 Range of values:
16#0, 16#1
16#1: The alternative
subject is checked in
the server's certificate.
The IP address or
DNS name entered in it
must match the
server's IP address or
DNS name.
TLSServerCertRef UDINT 16#10 Number of the
Siemens AG 2017 All rights reserved

certificate of the
provider that was
assigned in the
certificate manager of
STEP 7 V14
(see Chapter 2.2.5)

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 24
2 Engineering

2.2.9 Parameterizing the "TMAIL_C" instruction

Call the "TMAIL_C" instruction cyclically in the user program of the S7-1500 or
S7 1200 CPU. The "TMAIL_C" instruction can be found in the "Instructions" task
card in "Communication > Open user communication".
The following figure shows the call of the "TMAIL_C" instruction in the user
program.

Figure 2-3

Input parameter
Siemens AG 2017 All rights reserved

The following table shows the input parameters of the "TMAIL_C" instruction.
Table 2-5
Input parameter Data type Description
REQ Bool Control parameter
The REQ input parameter enables
the sending of an e-mail in the case
of a rising edge.
TO_S String Recipient address
String with a maximum length of 240
characters (bytes).
SUBJECT String The e-mail's subject line
String with a maximum length of 240
characters (bytes).
TEXT String Text of the e-mail
String with a maximum length of 240
characters (bytes). If an empty string
is assigned at this parameter, the e-
mail will be sent without text.
MAIL_ADDR_PARAM Variant Connection parameter:
Parameter of the connection and
address of the e-mail server
(see Chapter 2.2.8)

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 25
2 Engineering

Output parameter
The following table shows the output parameters of the "TMAIL_C" instruction.
Table 2-6
Output parameter Data type Description
DONE Bool Status parameter
DONE = 0: Job has not yet started or
is still running.
DONE = 1: Job completed without
errors.
BUSY Bool Status parameter
BUSY = 0: Processing of TMAIL_C is
complete.
BUSY = 1: Sending the email is not
yet complete.
ERROR Bool Status parameter
ERROR = 0: No error has occurred
ERROR = 1: An error has occurred
while processing. STATUS provides
detailed information about the error
type.
STATUS Word Status parameter
Return value or error information of
Siemens AG 2017 All rights reserved

the "TMAIL_C" instruction

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 26
2 Engineering

2.2.10 Setting the S7 CPU's time

As a certificate always includes a period for which it is valid, the time of the
S7 CPU that wants to encrypt with this certificate must be within this period.
For an S7 CPU straight from the factory or after a general reset of the S7 CPU, the
internal clock is set to a default that falls outside the certificate's validity interval. In
this case, the certificate is marked as invalid.
One option is to set the time manually. Proceed as follows:
1. In the project tree, go to the device folder of the S7 CPU and select the "Online
& diagnostics" item. The "Online & diagnostics" view opens.
Siemens AG 2017 All rights reserved

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 27
2 Engineering

2. Click the "Go online" button.


Siemens AG 2017 All rights reserved

3. In "Functions > Set time", set the time by applying the module time from the
PG/PC:
Enable the "Take from PG/PC" function.
Click the "Apply" button.

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 28
2 Engineering

2.2.11 Determining the CP's hardware identifier

In the hardware configuration, determine the CP's hardware identifier.

Instructions
1. In the network or device view, select the CP. The Inspector window displays
the CP properties.
2. In the area navigation of the "Properties" tab, go to "Ethernet interface [X1]"
and select the "Hardware identifier" item to view the hardware identifier of the
CP 1543-1.
Siemens AG 2017 All rights reserved

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 29
3 Valuable Information

3 Valuable Information
3.1 SMTP servers and ports of providers
The following table shows the SMTP servers and ports of some providers.
Table 3-1
Provider SMTP server Port
Web.de smtp.web.de 587
GMX mail.gmx.de 587
T-Online securesmtp.t-online.de 587, 465
Gmail smtp.google.com 587, 465

Note To determine the SMTP server's IP address, ping the SMTP server from a
PG/PC. Enter the ping command, for example, "ping smtp.web.de" in the
Command Prompt window.

3.2 Overview of the system data types of "TMAIL_C"


The following table provides an overview of all system data types of the "TMAIL_C"
Siemens AG 2017 All rights reserved

instruction.
Table 3-2
System data type STEP 7 V13 STEP 7 V14 SMTP (S)
ports
Secure Non-secure Secure Non-secure
connection connection connection connection
(SNMP over (SNMP over
TSL)l TSL)l
"TMail_V4" Cannot be
set
"TMail_V6" Cannot be
set
"TMail_FQDN" Cannot be
set
"TMail_V4_SEC" Can be set
"TMail_V6_SEC" Can be set
"TMail_QDN_SEC" Can be set
"TMail_C" V3.0 V4.0
instruction
"Open user V4.1 V5.0
communication"
library

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 30
3 Valuable Information

For STEP 7 V14 or higher, the "TMail_V4_SEC", "TMail_V6_SEC" or


"TMAIL_QDN_SEC" system data types are supported by the following
components:
CP 1543-1 V2.0 or higher
CP 1542SP-1 IRC V1.0 or higher
CP 1543SP-1 V1.0 or higher
CP 1243-1 V2.1 or higher
CP 1242-7 GPRS V2.1 or higher
CP 1243-7 LTE V2.1 or higher
CP 1243-8 V2.1 or higher

3.3 Alternative solutions


This chapter shows you how to establish a secure connection to a mail server in
STEP 7 V13 using the "TMAIL_C" instruction.

3.3.1 Integrating certificates into STEP 7 V13

In STEP 7 V13, insert the provider's certificate. In this application example, we


insert the "Telekom Root CA 2" certificate:
1. To log the security user in to the global security settings with user name and
Siemens AG 2017 All rights reserved

password, proceed as follows: In the project tree, go to "Global security


settings" and double-click the "User login" item.
If a security user has not yet been created, create a new one. The login of the
security user is required to insert the provider's certificate in the certificate
manager.

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 31
3 Valuable Information

2. To open the certificate manager in the workspace, proceed as follows: In the


project tree, go to "Global security settings" and double-click the "Certificate
manager" item.
Siemens AG 2017 All rights reserved

3. In the "Trusted certificates and root certification authorities" tab, import, for
example, the "Telekom Root CA 2" certificate.

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 32
3 Valuable Information

3.3.2 Configuring the CP 1543-1 in STEP 7 V13

1. Connect the CP 1543-1 to the Internet (see Chapter 2.2.6).


2. Configure the DNS server (see Chapter 2.2.7).
3. Set the S7-1500 CPU's time (see Chapter 2.2.10).
4. In the area navigation of the "Properties" tab, select the "Security" item and
enable the "Activate security features" function.
Siemens AG 2017 All rights reserved

3.3.3 Setting up a secure connection to an e-mail server in STEP 7 V13

Depending on the use case, the following system data types are available for
parameterizing a secure e-mail connection on the "TMAIL_C" instruction:
"TMail_V4"
"TMail_V6"
"TMail_FQDN"
The following sections explain the parameters of the "TMail_FQDN" and
"TMail_V4" system data types.

Parameterizing the "TMail_FQDN" system data type


With the "TMail_FQDN" system data type, the email server is addressed by its fully
qualified domain name (FQDN). The destination port cannot be set. The following
table shows the structure of the "TMail_FQDN" system data type.

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 33
3 Valuable Information

Table 3-3
Parameter Data type Value Description
InterfaceId LADDR 261 Hardware identifier of
the Ethernet interface
of the CP 1543-1 (see
Chapter 2.2.11)
ID CONN_OUC 1 Connection ID
Connectiontype BYTE 16#22 Connection type
For FQDN, select
16#22 as the
connection type.
ActiveEstablishment BOOL - Status bit
When the connection
has been established,
the status bit is set to
"1".
CertIndex BYTE 16#1 Set the "CertIndex"
parameter = 1. This
specifies that a secure
e-mail connection is
being set up.
WatchDogTime TIME T#1m Time monitoring of
execution. Use this
parameter to define the
Siemens AG 2017 All rights reserved

maximum duration of
sending.
MailServerQDN STRING[254] For example: FQDN (fully qualified
'smtp@provider. domain name) of the e-
com' mail server from which
you want to send an
email.
UserName STRING[254] For example: With the user name
'myUserName' and password, the user
identifies himself to the
PassWord STRING[254] For example: e-mail service provider
'myUserPassWord' as the owner of the
e-mail account.
From EMAIL_ADDR - Sender address of the
e-mail that is defined
by the following two
STRING parameters.
LocalPartPlusAtSign STRING[64] For example: Local part of the
'myName@' sender address,
including @ sign
FullQualifiedDomain STRING[254] For example: FQDN (fully qualified
Name 'provider.com' domain name) of the
e-mail server.

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 34
3 Valuable Information

Parameterizing the "TMail_V4" system data type


With the "TMail_V4" system data type, the email server is addressed by the
IP address according to IPv4. The destination port cannot be set. The following
table shows the structure of the "TMail_V4" system data type.
Table 3-4
Parameter Data type Value Description
InterfaceId LADDR 261 Hardware identifier of
the Ethernet interface
of the CP 1543-1 (see
Chapter 2.2.11)
ID CONN_OUC 1 Connection ID
Connectiontype BYTE 16#20 Connection type
For IPv4, select 16#20
as the connection type.
ActiveEstablishment BOOL - Status bit
When the connection
has been established,
the status bit is set to
"1".
CertIndex BYTE 16#1 Set the "CertIndex"
parameter = 1. By
setting the "CertIndex"
Siemens AG 2017 All rights reserved

parameter = 1, you
specify that a secure
e-mail connection will
be set up.
WatchDogTime TIME T#1m Time monitoring of
execution. Use this
parameter to define the
maximum duration of
sending.
MailServerAddress IP_V4 For example: IPv4 IP address of the
213.165.67.108 e-mail server from
which you want to send
an email.
UserName STRING[254] For example: With the user name
'myUserName' and password, the user
identifies himself to the
PassWord STRING[254] For example: e-mail service provider
'myUserPassWord' as the owner of the
e-mail account.

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 35
3 Valuable Information

Parameter Data type Value Description


From EMAIL_ADDR - Sender address of the
e-mail that is defined
by the following two
STRING parameters.
LocalPartPlusAtSign STRING[64] For example: Local part of the
'myName@' sender address,
including @ sign
FullQualifiedDomain STRING[254] For example: FQDN (fully qualified
Name 'provider.com' domain name) of the
e-mail server.

Parameterizing the "TMAIL_C" instruction


In the user program of the S7 CPU, call the "TMAIL_C" instruction with one of the
system types, "TMail_V4", "TMail_V6" or "TMail_FQDN", (see Chapter 2.2.9).
Siemens AG 2017 All rights reserved

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 36
4 Appendix

4 Appendix
4.1 Service and support
Industry Online Support
Do you have any questions or do you need support?
With Industry Online Support, our complete service and support know-how and
services are available to you 24/7.
Industry Online Support is the place to go to for information about our products,
solutions and services.
Product Information, Manuals, Downloads, FAQs and Application Examples all
the information can be accessed with just a few clicks:
https://support.industry.siemens.com

Technical Support
Siemens Industrys Technical Support offers you fast and competent support for
any technical queries you may have, including numerous tailor-made offerings
ranging from basic support to custom support contracts.
You can use the web form below to send queries to Technical Support:
www.siemens.com/industry/supportrequest.

Service offer
Siemens AG 2017 All rights reserved

Our service offer includes the following services:


Product Training
Plant Data Services
Spare Part Services
Repair Services
Field & Maintenance Services
Retrofit & Modernization Services
Service Programs & Agreements
For detailed information about our service offer, please refer to the Service
Catalog:
https://support.industry.siemens.com/cs/sc

Industry Online Support app


The "Siemens Industry Online Support" app provides you with optimum support
while on the go. The app is available for Apple iOS, Android and Windows Phone:
https://support.industry.siemens.com/cs/ww/en/sc/2067

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 37
4 Appendix

4.2 Links and literature


Table 4-1
No. Topic
\1\ Siemens Industry Online Support
https://support.industry.siemens.com
\2\ Link to this entry page of this application example
https://support.industry.siemens.com/cs/ww/en/view/46817803
\3\ SIMATIC STEP 7 Professional V14.0
https://support.industry.siemens.com/cs/ww/en/view/109742272

4.3 Change documentation


Table 4-2
Version Date Modifications
V1.0 06/2017 First version
Siemens AG 2017 All rights reserved

Establishing Secure Connection to Email Server


Entry ID: 46817803, V1.0, 07/2017 38