Generic SMTP check over TLS returns incorrect validity time range
I’m trying to find a workaround for #1040 with this:
check host host-domain-smtp with address host.domain.tld
if failed port 25 ssl with options { selfsigned: allow cacertificatefile: /etc/ssl/domain.tld.ca.crt } and certificate valid > 30 days and timeout 10 seconds and
expect "^220.*"
send "EHLO other.host.domain.tld\r\n"
expect "^250.*"
send "QUIT\r\n"
for 3 cycles
then alert
But I get this result instead compared to if I was using SMTP protocol over TLS:
Remote Host 'host-domain-smtp'
status Timestamp failed
monitoring status Monitored
monitoring mode active
on reboot start
port response time 6.577 s to host.domain.tld:25 type TCP/IP using TLS (certificate valid for 0 days) protocol generic
data collected Tue, 24 May 2022 21:15:02
Comments (7)
-
-
reporter Yes, I’m sure. My SMTP servers are configured to accept TLS on 25. But I just checked on 587 – same issue.
I have another SMTP host that doesn’t have EHLO verification enabled where workaround for #1040 isn’t needed, and it works as expected:
check host another-host-domain-smtp with address another.host.domain.tld if failed port 25 address XX.XX.XX.XX ssl with options { selfsigned: allow cacertificatefile: /etc/ssl/domain.tld.ca.crt } protocol smtps and certificate valid > 30 days for 3 cycles then alert
with this status:
Remote Host 'another-host-domain-smtp' status OK monitoring status Monitored monitoring mode active on reboot start port response time 59.840 ms to another.host.domain.tld:25 type TCP/IP using TLS (certificate valid for 1091 days) protocol SMTP data collected Wed, 25 May 2022 17:36:23
-
reporter To add,
send
commands are being executed successfully from the check above on the remote SMTP host along with the TLS-established connection. It’s just cert validity that’s reported incorrectly. -
Hello Vlad,
no idea what is going wrong, sorry.check host smtp with address mail.domain.tld if failed port 465 ssl with certificate valid > 30 days and timeout 10 seconds and expect "^220.*" send "EHLO other.host.domain.tld\r\n" expect "^250.*" send "QUIT\r\n" # for 3 cycles then alert
This work well, I think (tested based on Monit 5.31.0).
I got the following after I start "monit -I -vv".GENERIC: successfully received: '220 gmx.net (mrgmx004) Nemesis ESMTP Service ready ' GENERIC: successfully sent: 'EHLO other.host.domain.tld ' GENERIC: successfully received: '250-gmx.net Hello other.host.domain.tld [89.183.221.187] 250-8BITMIME 250-AUTH LOGIN PLAIN 250 SIZE 69920427 ' GENERIC: successfully sent: 'QUIT ' 'smtp' succeeded testing protocol [generic] at [mail.domain.tld]:465 [TCP/IP TLS] [response time 975.693 ms] 'smtp' connection succeeded to [mail.domain.tld]:465 [TCP/IP TLS] 'smtp' certificate valid days test succeeded [valid for 319 days]
This is what I expected, the status is "OK" for the service. For port 25 I got the following, but the port does not support StartTLS/TLS.
'smtp' succeeded testing protocol [generic] at [mail.domain.tld]:25 [TCP/IP TLS] [response time 1.015 s] 'smtp' connection succeeded to [mail.domain.tld]:25 [TCP/IP TLS] 'smtp' certificate expiry in 0 days matches check limit [valid > 30 days]
And the status is "Timestamp failed".
My suggestion, remove your cacertificat file or the whole option from your definition. From my point of view, the cacertificate file is not necessary if you use a self signed certificate.
With regards,
Lutz -
reporter Oh, I think I know what the issue is. When I specify
protocol smtps
it tries to use STARTTLS on port 25 and succeeds. While with generic TCP check it uses TLS-on-connect, which is not enforced anywhere on my servers (but I can on 465/587). So it fails for 25, where only STARTTLS is supported.So unfortunately until #1040 is resolved, there’s no way to use generic TCP in favor of SMTP check on ports with only STARTTLS support.
-
reporter - changed status to invalid
-
Hello Vlad,
thanks for the additional information. An additional EHLO / HELO option seems to be useful, I think.The mail servers I used ignore this option or accept everything to the request.
With regards,
Lutz - Log in to comment
Hello Vlad,
are you sure, smtp via port 25 use ssl?
Port 587 use StartTLS/TLS but port 25 does not.
To get some more information about the "check host" you can use "monit -I -vv" to run monit in the foreground in a verbose mode.
A question only,
Lutz