SMTP TLS/SSL Check no other port than 25/587 possible

Issue #642 new
Patrick Oberdorfer created an issue

There is a connection error when specifying another port than 25 or 587.

[CEST Jul  7 13:17:44] warning  : 'postfix_20025_20587' failed protocol test [SMTP] at [localhost]:20025 [TCP/IP TLS] -- SSL connection error: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

[CEST Jul  7 13:17:44] warning  : 'postfix_20025_20587' certificate expiry in 0 days matches check limit [valid > 30 days]

Also as you can see the second line alos prints a false positive fail because the certificate cannot be checked.

Monitrc:

check process postfix_25_587
    pidfile /var/spool/postfix/pid/master.pid
    if failed
            host localhost
            port 20587
            protocol smtps
            certificate valid > 30 days
            for 3 cycles
    then alert

Comments (5)

  1. Tildeslash repo owner

    If you set the protocol to "smtps", then monit enables performs an SSL handshake during connection, which in your case fails, because the target mailserver doesn't speak SSL on connect ... it is most probably just plaintext protocol with STARTTLS command. Monit switches from SSL to STARTTLS automatically only for well-known STARTTLS ports: 25 and 587.

    Workaround: modify the configuration to plaintext SMTP protocol test ... you will have to drop the certificate check:

    check process postfix_25_587
         pidfile /var/spool/postfix/pid/master.pid
         if failed
            host localhost
            port 20587
            protocol smtp
            for 3 cycles
         then alert
    

    We'll implement STARTLS support for non-default SMTP ports, so it'll be possible to checks SSL certificates too.

  2. Patrick Oberdorfer reporter

    Thanks alot for clearing things up, and also for your fast response, as always!

  3. Log in to comment