1. Tildeslash Avatar Tildeslash
  2. Untitled project
  3. Monit
  4. Issues

Generic SMTP check over TLS returns incorrect validity time range

Issue #1041 invalid
Val V created an issue

I’m trying to find a workaround for #1040 with this:

check host host-domain-smtp with address host.domain.tld
  if failed port 25 ssl with options { selfsigned: allow cacertificatefile: /etc/ssl/domain.tld.ca.crt } and certificate valid > 30 days and timeout 10 seconds and
      expect "^220.*"
      send   "EHLO other.host.domain.tld\r\n"
      expect "^250.*"
      send   "QUIT\r\n"
    for 3 cycles
    then alert

But I get this result instead compared to if I was using SMTP protocol over TLS:

Remote Host 'host-domain-smtp'
  status                       Timestamp failed
  monitoring status            Monitored
  monitoring mode              active
  on reboot                    start
  port response time           6.577 s to host.domain.tld:25 type TCP/IP using TLS (certificate valid for 0 days) protocol generic
  data collected               Tue, 24 May 2022 21:15:02

Comments (7)

  1. Lutz Mader

    Hello Vlad,
    are you sure, smtp via port 25 use ssl?
    Port 587 use StartTLS/TLS but port 25 does not.

    To get some more information about the "check host" you can use "monit -I -vv" to run monit in the foreground in a verbose mode.

    A question only,
    Lutz

  2. Val V reporter

    Yes, I’m sure. My SMTP servers are configured to accept TLS on 25. But I just checked on 587 – same issue.

    I have another SMTP host that doesn’t have EHLO verification enabled where workaround for #1040 isn’t needed, and it works as expected:

    check host another-host-domain-smtp with address another.host.domain.tld
  if failed port 25 address XX.XX.XX.XX ssl with options { selfsigned: allow cacertificatefile: /etc/ssl/domain.tld.ca.crt } protocol smtps and certificate valid > 30 days
    for 3 cycles
    then alert

    with this status:

    Remote Host 'another-host-domain-smtp'
  status                       OK
  monitoring status            Monitored
  monitoring mode              active
  on reboot                    start
  port response time           59.840 ms to another.host.domain.tld:25 type TCP/IP using TLS (certificate valid for 1091 days) protocol SMTP
  data collected               Wed, 25 May 2022 17:36:23

  3. Val V reporter

    To add, send commands are being executed successfully from the check above on the remote SMTP host along with the TLS-established connection. It’s just cert validity that’s reported incorrectly.

  4. Lutz Mader

    Hello Vlad,
    no idea what is going wrong, sorry.

    check host smtp with address mail.domain.tld
  if failed port 465 ssl with certificate valid > 30 days and timeout 10 seconds and
     expect "^220.*"
     send   "EHLO other.host.domain.tld\r\n"
     expect "^250.*"
     send   "QUIT\r\n"
#    for 3 cycles
    then alert

    This work well, I think (tested based on Monit 5.31.0).
    I got the following after I start "monit -I -vv".

    GENERIC: successfully received: '220 gmx.net (mrgmx004) Nemesis ESMTP Service ready
'
GENERIC: successfully sent: 'EHLO other.host.domain.tld
'
GENERIC: successfully received: '250-gmx.net Hello other.host.domain.tld [89.183.221.187]
250-8BITMIME
250-AUTH LOGIN PLAIN
250 SIZE 69920427
'
GENERIC: successfully sent: 'QUIT
'
'smtp' succeeded testing protocol [generic] at [mail.domain.tld]:465 [TCP/IP TLS] [response time 975.693 ms]
'smtp' connection succeeded to [mail.domain.tld]:465 [TCP/IP TLS]
'smtp' certificate valid days test succeeded [valid for 319 days]

    This is what I expected, the status is "OK" for the service. For port 25 I got the following, but the port does not support StartTLS/TLS.

    'smtp' succeeded testing protocol [generic] at [mail.domain.tld]:25 [TCP/IP TLS] [response time 1.015 s]
'smtp' connection succeeded to [mail.domain.tld]:25 [TCP/IP TLS]
'smtp' certificate expiry in 0 days matches check limit [valid > 30 days]

    And the status is "Timestamp failed".

    My suggestion, remove your cacertificat file or the whole option from your definition. From my point of view, the cacertificate file is not necessary if you use a self signed certificate.

    With regards,
    Lutz

  5. Val V reporter

    Oh, I think I know what the issue is. When I specify protocol smtps it tries to use STARTTLS on port 25 and succeeds. While with generic TCP check it uses TLS-on-connect, which is not enforced anywhere on my servers (but I can on 465/587). So it fails for 25, where only STARTTLS is supported.

    So unfortunately until #1040 is resolved, there’s no way to use generic TCP in favor of SMTP check on ports with only STARTTLS support.

  7. Lutz Mader

    Hello Vlad,
    thanks for the additional information. An additional EHLO / HELO option seems to be useful, I think.

    The mail servers I used ignore this option or accept everything to the request.

    With regards,
    Lutz

  8. Log in to comment
Assignee
Type
bug
Priority
minor
Status
invalid
Component
Monit
Version
5.28.1
Votes
0
Watchers
1