From ead5526efa4f713e8001baed409067b0474cb72d Mon Sep 17 00:00:00 2001 From: Franz Schwartau Date: Mon, 21 Aug 2023 16:53:48 +0200 Subject: Add support for SMTP over TLS This is commonly used on smtps (465) port. PROXY protocol is not implemented with TLS in check_smtp.c, yet. Backported from nagios-plugins: https://github.com/nagios-plugins/nagios-plugins/commit/0a8cf08ebb0740aa55d6c60d3b79fcab282604fb --- plugins/check_smtp.c | 46 +++++++++++++++++++++++++++++++++++++--------- 1 file changed, 37 insertions(+), 9 deletions(-) (limited to 'plugins') diff --git a/plugins/check_smtp.c b/plugins/check_smtp.c index 996bd875..f3ba9e38 100644 --- a/plugins/check_smtp.c +++ b/plugins/check_smtp.c @@ -42,8 +42,8 @@ const char *email = "devel@monitoring-plugins.org"; #ifdef HAVE_SSL int check_cert = FALSE; int days_till_exp_warn, days_till_exp_crit; -# define my_recv(buf, len) ((use_ssl && ssl_established) ? np_net_ssl_read(buf, len) : read(sd, buf, len)) -# define my_send(buf, len) ((use_ssl && ssl_established) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0)) +# define my_recv(buf, len) (((use_starttls || use_ssl) && ssl_established) ? np_net_ssl_read(buf, len) : read(sd, buf, len)) +# define my_send(buf, len) (((use_starttls || use_ssl) && ssl_established) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0)) #else /* ifndef HAVE_SSL */ # define my_recv(buf, len) read(sd, buf, len) # define my_send(buf, len) send(sd, buf, len, 0) @@ -103,6 +103,7 @@ double critical_time = 0; int check_critical_time = FALSE; int verbose = 0; int use_ssl = FALSE; +int use_starttls = FALSE; int use_sni = FALSE; short use_proxy_prefix = FALSE; short use_ehlo = FALSE; @@ -186,12 +187,25 @@ main (int argc, char **argv) result = my_tcp_connect (server_address, server_port, &sd); if (result == STATE_OK) { /* we connected */ +#ifdef HAVE_SSL + if (use_ssl) { + result = np_net_ssl_init_with_hostname(sd, (use_sni ? server_address : NULL)); + if (result != STATE_OK) { + printf (_("CRITICAL - Cannot create SSL context.\n")); + close(sd); + np_net_ssl_cleanup(); + return STATE_CRITICAL; + } else { + ssl_established = 1; + } + } +#endif /* If requested, send PROXY header */ if (use_proxy_prefix) { if (verbose) printf ("Sending header %s\n", PROXY_PREFIX); - send(sd, PROXY_PREFIX, strlen(PROXY_PREFIX), 0); + my_send(PROXY_PREFIX, strlen(PROXY_PREFIX)); } /* watch for the SMTP connection string and */ @@ -205,7 +219,7 @@ main (int argc, char **argv) xasprintf(&server_response, "%s", buffer); /* send the HELO/EHLO command */ - send(sd, helocmd, strlen(helocmd), 0); + my_send(helocmd, strlen(helocmd)); /* allow for response to helo command to reach us */ if (recvlines(buffer, MAX_INPUT_BUFFER) <= 0) { @@ -218,14 +232,14 @@ main (int argc, char **argv) } } - if(use_ssl && ! supports_tls){ + if(use_starttls && ! supports_tls){ printf(_("WARNING - TLS not supported by server\n")); smtp_quit(); return STATE_WARNING; } #ifdef HAVE_SSL - if(use_ssl) { + if(use_starttls) { /* send the STARTTLS command */ send(sd, SMTP_STARTTLS, strlen(SMTP_STARTTLS), 0); @@ -489,6 +503,7 @@ process_arguments (int argc, char **argv) {"use-ipv6", no_argument, 0, '6'}, {"help", no_argument, 0, 'h'}, {"lmtp", no_argument, 0, 'L'}, + {"ssl", no_argument, 0, 's'}, {"starttls",no_argument,0,'S'}, {"sni", no_argument, 0, SNI_OPTION}, {"certificate",required_argument,0,'D'}, @@ -510,7 +525,7 @@ process_arguments (int argc, char **argv) } while (1) { - c = getopt_long (argc, argv, "+hVv46Lrt:p:f:e:c:w:H:C:R:SD:F:A:U:P:q", + c = getopt_long (argc, argv, "+hVv46Lrt:p:f:e:c:w:H:C:R:sSD:F:A:U:P:q", longopts, &option); if (c == -1 || c == EOF) @@ -632,10 +647,13 @@ process_arguments (int argc, char **argv) #else usage (_("SSL support not available - install OpenSSL and recompile")); #endif - // fall through + case 's': + /* ssl */ + use_ssl = TRUE; + break; case 'S': /* starttls */ - use_ssl = TRUE; + use_starttls = TRUE; use_ehlo = TRUE; break; case SNI_OPTION: @@ -694,6 +712,14 @@ process_arguments (int argc, char **argv) if (from_arg==NULL) from_arg = strdup(" "); + if (use_starttls && use_ssl) { + usage4 (_("Set either -s/--ssl or -S/--starttls")); + } + + if (use_ssl && use_proxy_prefix) { + usage4 (_("PROXY protocol (-r/--proxy) is not implemented with SSL/TLS (-s/--ssl), yet.")); + } + return validate_arguments (); } @@ -851,6 +877,8 @@ print_help (void) #ifdef HAVE_SSL printf (" %s\n", "-D, --certificate=INTEGER[,INTEGER]"); printf (" %s\n", _("Minimum number of days a certificate has to be valid.")); + printf (" %s\n", "-s, --ssl"); + printf (" %s\n", _("Use SSL/TLS for the connection.")); printf (" %s\n", "-S, --starttls"); printf (" %s\n", _("Use STARTTLS for the connection.")); printf (" %s\n", "--sni"); -- cgit v1.2.3-74-g34f1 From e823896d8a39618e0cb60c5cd4e46f13bbc6a51d Mon Sep 17 00:00:00 2001 From: Franz Schwartau Date: Wed, 14 Jun 2023 18:27:24 +0200 Subject: check_smtp: set default port to smtps (465) for TLS The port can still be set with -p. --- plugins/check_smtp.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'plugins') diff --git a/plugins/check_smtp.c b/plugins/check_smtp.c index f3ba9e38..474557d5 100644 --- a/plugins/check_smtp.c +++ b/plugins/check_smtp.c @@ -50,7 +50,8 @@ int days_till_exp_warn, days_till_exp_crit; #endif enum { - SMTP_PORT = 25 + SMTP_PORT = 25, + SMTPS_PORT = 465 }; #define PROXY_PREFIX "PROXY TCP4 0.0.0.0 0.0.0.0 25 25\r\n" #define SMTP_EXPECT "220" @@ -650,6 +651,7 @@ process_arguments (int argc, char **argv) case 's': /* ssl */ use_ssl = TRUE; + server_port = SMTPS_PORT; break; case 'S': /* starttls */ @@ -879,6 +881,7 @@ print_help (void) printf (" %s\n", _("Minimum number of days a certificate has to be valid.")); printf (" %s\n", "-s, --ssl"); printf (" %s\n", _("Use SSL/TLS for the connection.")); + printf (_(" Sets default port to %d.\n"), SMTPS_PORT); printf (" %s\n", "-S, --starttls"); printf (" %s\n", _("Use STARTTLS for the connection.")); printf (" %s\n", "--sni"); -- cgit v1.2.3-74-g34f1 From da81dd3cf29c16ff1f9cf735482b9d4a0619f501 Mon Sep 17 00:00:00 2001 From: Franz Schwartau Date: Wed, 14 Jun 2023 20:25:50 +0200 Subject: check_smtp: remove restriction of --proxy with --ssl --- plugins/check_smtp.c | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) (limited to 'plugins') diff --git a/plugins/check_smtp.c b/plugins/check_smtp.c index 474557d5..4ceb9565 100644 --- a/plugins/check_smtp.c +++ b/plugins/check_smtp.c @@ -188,6 +188,13 @@ main (int argc, char **argv) result = my_tcp_connect (server_address, server_port, &sd); if (result == STATE_OK) { /* we connected */ + /* If requested, send PROXY header */ + if (use_proxy_prefix) { + if (verbose) + printf ("Sending header %s\n", PROXY_PREFIX); + my_send(PROXY_PREFIX, strlen(PROXY_PREFIX)); + } + #ifdef HAVE_SSL if (use_ssl) { result = np_net_ssl_init_with_hostname(sd, (use_sni ? server_address : NULL)); @@ -202,13 +209,6 @@ main (int argc, char **argv) } #endif - /* If requested, send PROXY header */ - if (use_proxy_prefix) { - if (verbose) - printf ("Sending header %s\n", PROXY_PREFIX); - my_send(PROXY_PREFIX, strlen(PROXY_PREFIX)); - } - /* watch for the SMTP connection string and */ /* return a WARNING status if we couldn't read any data */ if (recvlines(buffer, MAX_INPUT_BUFFER) <= 0) { @@ -718,10 +718,6 @@ process_arguments (int argc, char **argv) usage4 (_("Set either -s/--ssl or -S/--starttls")); } - if (use_ssl && use_proxy_prefix) { - usage4 (_("PROXY protocol (-r/--proxy) is not implemented with SSL/TLS (-s/--ssl), yet.")); - } - return validate_arguments (); } -- cgit v1.2.3-74-g34f1 From 079c300dcc6479b53e1f84a6b9446c7f403a7612 Mon Sep 17 00:00:00 2001 From: Franz Schwartau Date: Wed, 14 Jun 2023 20:29:25 +0200 Subject: check_smtp: add new longoption --tls This is an alias for -s/--ssl. --- plugins/check_smtp.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'plugins') diff --git a/plugins/check_smtp.c b/plugins/check_smtp.c index 4ceb9565..3990ad82 100644 --- a/plugins/check_smtp.c +++ b/plugins/check_smtp.c @@ -505,6 +505,7 @@ process_arguments (int argc, char **argv) {"help", no_argument, 0, 'h'}, {"lmtp", no_argument, 0, 'L'}, {"ssl", no_argument, 0, 's'}, + {"tls", no_argument, 0, 's'}, {"starttls",no_argument,0,'S'}, {"sni", no_argument, 0, SNI_OPTION}, {"certificate",required_argument,0,'D'}, @@ -715,7 +716,7 @@ process_arguments (int argc, char **argv) from_arg = strdup(" "); if (use_starttls && use_ssl) { - usage4 (_("Set either -s/--ssl or -S/--starttls")); + usage4 (_("Set either -s/--ssl/--tls or -S/--starttls")); } return validate_arguments (); @@ -875,7 +876,7 @@ print_help (void) #ifdef HAVE_SSL printf (" %s\n", "-D, --certificate=INTEGER[,INTEGER]"); printf (" %s\n", _("Minimum number of days a certificate has to be valid.")); - printf (" %s\n", "-s, --ssl"); + printf (" %s\n", "-s, --ssl, --tls"); printf (" %s\n", _("Use SSL/TLS for the connection.")); printf (_(" Sets default port to %d.\n"), SMTPS_PORT); printf (" %s\n", "-S, --starttls"); -- cgit v1.2.3-74-g34f1 From ce96ef868a5ee14947b9e213e3c36917cdd9e786 Mon Sep 17 00:00:00 2001 From: Franz Schwartau Date: Tue, 29 Aug 2023 09:35:53 +0200 Subject: check_smtp: Let port option always take precedence MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Otherwise -s/--ssl would overwrite a port given with -p if it comes after it, e. g. check_smtp -H mailhost.example.com -p 4465 --ssl Found-By: Lorenz Kästle --- plugins/check_smtp.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'plugins') diff --git a/plugins/check_smtp.c b/plugins/check_smtp.c index 3990ad82..fc0ae2c4 100644 --- a/plugins/check_smtp.c +++ b/plugins/check_smtp.c @@ -84,6 +84,7 @@ int eflags = 0; int errcode, excode; int server_port = SMTP_PORT; +int server_port_option = 0; char *server_address = NULL; char *server_expect = NULL; char *mail_command = NULL; @@ -544,7 +545,7 @@ process_arguments (int argc, char **argv) break; case 'p': /* port */ if (is_intpos (optarg)) - server_port = atoi (optarg); + server_port_option = atoi (optarg); else usage4 (_("Port must be a positive integer")); break; @@ -719,6 +720,10 @@ process_arguments (int argc, char **argv) usage4 (_("Set either -s/--ssl/--tls or -S/--starttls")); } + if (server_port_option != 0) { + server_port = server_port_option; + } + return validate_arguments (); } -- cgit v1.2.3-74-g34f1