net-analyzer/nagios-plugins/files/check_smtp-implicit-tls.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145

From 0a8cf08ebb0740aa55d6c60d3b79fcab282604fb Mon Sep 17 00:00:00 2001
From: Franz Schwartau <franz@electromail.org>
Date: Tue, 1 Sep 2020 12:48:51 +0200
Subject: [PATCH 1/3] Add support for SMTP over TLS

This is commonly used on smtps (465) port.

PROXY protocol is not implemented with TLS in check_smtp.c, yet.
---
 plugins/check_smtp.c | 45 ++++++++++++++++++++++++++++++++++++--------
 1 file changed, 37 insertions(+), 8 deletions(-)

diff --git a/plugins/check_smtp.c b/plugins/check_smtp.c
index 0b1c54d4..d5923a6a 100644
--- a/plugins/check_smtp.c
+++ b/plugins/check_smtp.c
@@ -42,8 +42,8 @@ const char *email = "devel@nagios-plugins.org";
 #ifdef HAVE_SSL
 int check_cert = FALSE;
 int days_till_exp_warn, days_till_exp_crit;
-#  define my_recv(buf, len) ((use_ssl && ssl_established) ? np_net_ssl_read(buf, len) : read(sd, buf, len))
-#  define my_send(buf, len) ((use_ssl && ssl_established) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0))
+#  define my_recv(buf, len) (((use_starttls || use_ssl) && ssl_established) ? np_net_ssl_read(buf, len) : read(sd, buf, len))
+#  define my_send(buf, len) (((use_starttls || use_ssl) && ssl_established) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0))
 #else /* ifndef HAVE_SSL */
 #  define my_recv(buf, len) read(sd, buf, len)
 #  define my_send(buf, len) send(sd, buf, len, 0)
@@ -107,6 +107,7 @@ double critical_time = 0;
 int check_critical_time = FALSE;
 int verbose = 0;
 int use_ssl = FALSE;
+int use_starttls = FALSE;
 int use_sni = FALSE;
 short use_proxy_prefix = FALSE;
 short use_ehlo = FALSE;
@@ -199,12 +200,25 @@ main (int argc, char **argv)
 	result = my_tcp_connect (server_address, server_port, &sd);
 
 	if (result == STATE_OK) { /* we connected */
+#ifdef HAVE_SSL
+		if (use_ssl) {
+			result = np_net_ssl_init_with_hostname(sd, (use_sni ? server_address : NULL));
+			if (result != STATE_OK) {
+				printf (_("CRITICAL - Cannot create SSL context.\n"));
+				close(sd);
+				np_net_ssl_cleanup();
+				return STATE_CRITICAL;
+			} else {
+				ssl_established = 1;
+			}
+		}
+#endif
 
 		/* If requested, send PROXY header */
 		if (use_proxy_prefix) {
 			if (verbose)
 				printf ("Sending header %s\n", PROXY_PREFIX);
-			send(sd, PROXY_PREFIX, strlen(PROXY_PREFIX), 0);
+			my_send(PROXY_PREFIX, strlen(PROXY_PREFIX));
 		}
 
 		/* watch for the SMTP connection string and */
@@ -230,7 +244,7 @@ main (int argc, char **argv)
 		}
 
 		/* send the HELO/EHLO command */
-		send(sd, helocmd, strlen(helocmd), 0);
+		my_send(helocmd, strlen(helocmd));
 
 		/* allow for response to helo command to reach us */
 		if (recvlines(buffer, MAX_INPUT_BUFFER) <= 0) {
@@ -243,14 +257,14 @@ main (int argc, char **argv)
 			}
 		}
 
-		if(use_ssl && ! supports_tls){
+		if(use_starttls && ! supports_tls){
 			printf(_("WARNING - TLS not supported by server\n"));
 			smtp_quit();
 			return STATE_WARNING;
 		}
 
 #ifdef HAVE_SSL
-		if(use_ssl) {
+		if(use_starttls) {
 		  /* send the STARTTLS command */
 		  send(sd, SMTP_STARTTLS, strlen(SMTP_STARTTLS), 0);
 
@@ -495,6 +509,7 @@ process_arguments (int argc, char **argv)
 		{"use-ipv6", no_argument, 0, '6'},
 		{"help", no_argument, 0, 'h'},
 		{"lmtp", no_argument, 0, 'L'},
+		{"ssl", no_argument, 0, 's'},
 		{"starttls",no_argument,0,'S'},
 		{"sni", no_argument, 0, SNI_OPTION},
 		{"certificate",required_argument,0,'D'},
@@ -516,7 +531,7 @@ process_arguments (int argc, char **argv)
 	}
 
 	while (1) {
-		c = getopt_long (argc, argv, "+hVv46Lrt:p:f:e:c:w:H:C:R:SD:F:A:U:P:q",
+		c = getopt_long (argc, argv, "+hVv46Lrt:p:f:e:c:w:H:C:R:sSD:F:A:U:P:q",
 		                 longopts, &option);
 
 		if (c == -1 || c == EOF)
@@ -633,9 +648,13 @@ process_arguments (int argc, char **argv)
 #else
 			usage (_("SSL support not available - install OpenSSL and recompile"));
 #endif
+		case 's':
+		/* ssl */
+			use_ssl = TRUE;
+			break;
 		case 'S':
 		/* starttls */
-			use_ssl = TRUE;
+			use_starttls = TRUE;
 			use_ehlo = TRUE;
 			break;
 		case SNI_OPTION:
@@ -694,6 +713,14 @@ process_arguments (int argc, char **argv)
 	if (from_arg==NULL)
 		from_arg = strdup(" ");
 
+	if (use_starttls && use_ssl) {
+		usage4 (_("Set either -s/--ssl or -S/--starttls"));
+	}
+
+	if (use_ssl && use_proxy_prefix) {
+		usage4 (_("PROXY protocol (-r/--proxy) is not implemented with SSL/TLS (-s/--ssl), yet."));
+	}
+
 	return validate_arguments ();
 }
 
@@ -851,6 +878,8 @@ print_help (void)
 #ifdef HAVE_SSL
   printf (" %s\n", "-D, --certificate=INTEGER[,INTEGER]");
   printf ("    %s\n", _("Minimum number of days a certificate has to be valid."));
+  printf (" %s\n", "-s, --ssl");
+  printf ("    %s\n", _("Use SSL/TLS for the connection."));
   printf (" %s\n", "-S, --starttls");
   printf ("    %s\n", _("Use STARTTLS for the connection."));
   printf (" %s\n", "--sni");