[solved] check_smtp: TLS not supported by server (bug?)

An open discussion forum for obtaining help with Nagios Core. Nagios Core users of all experience levels are welcome here. Subforum have been created for the discussion of Nagios Core and Nagios Plugin development.

NOTE: The SourceForge.net mailing lists have been deprecated in favor of this forum in order to expedite support and provide additional features not available on the old mailing list.

[solved] check_smtp: TLS not supported by server (bug?)

Postby xenium » Thu Jan 03, 2019 4:03 pm

I have Nagios Core running on a CentOS server, monitoring (among other things) TLS certs for Postfix, which is also running on a CentOS server.

Both the Nagios and Postfix servers were upgraded from CentOS 7.5 to CentOS 7.6. After the upgrade, check_smtp began reporting "WARNING - TLS not supported by server". Prior to the upgrade the check_smtp plugin was able to successfully test the TLS cert.

No changes have been made to the configuration of either server. Only a single "yum update" command was used to perform the upgrade on each server.

The command line I am using is:

Code: Select all
check_smtp -H 2602:ffc5:1f::1f:8435 -p 25 -F mail2.nullmodem.org -S -D 21,7


This is the plugin output:

Code: Select all
WARNING - TLS not supported by server


This is the plugin output if I add -v to the command line:

Code: Select all
HELOCMD: EHLO mail2.nullmodem.org
Sending header PROXY TCP4 0.0.0.0 0.0.0.0 25 25

220 vps1.nullmodem.org ESMTP Postfix
WARNING - TLS not supported by server
sent QUIT
received 250-vps1.nullmodem.org
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN


My first guess was that the upgrade had actually broken TLS, and that check_smtp was reporting accurate results. However, testing the TLS connection with gnutls-cli shows that TLS *is* available and working properly, and that the certificate and CA chain are valid:

Code: Select all
# gnutls-cli --starttls --port 25 mail2.nullmodem.org
Processed 151 CA certificate(s).
Resolving 'mail2.nullmodem.org'...
Connecting to '2602:ffc5:1f::1f:8435:25'...

- Simple Client Mode:

220 vps1.nullmodem.org ESMTP Postfix
ehlo vps1
250-vps1.nullmodem.org
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
starttls
220 2.0.0 Ready to start TLS
*** Starting TLS handshake
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
- subject `CN=mail2.nullmodem.org', issuer `C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3', RSA key 2048 bits, signed using RSA-SHA256, activated `2018-11-05 07:16:13 UTC', expires `2019-02-03 07:16:13 UTC', SHA-1 fingerprint `2df33c8d4f40b220a5964edc0a0c199fb54119b1'
        Public Key ID:
                15da33ba3435010340056691d0693256623cdd74
        Public key's random art:
                +--[ RSA 2048]----+
                | .+*OX+.E.o      |
                | .*+* .. + o     |
                | . =    . B      |
                |         + +     |
                |        S        |
                |       . o       |
                |        .        |
                |                 |
                |                 |
                +-----------------+

- Certificate[1] info:
- subject `C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3', issuer `O=Digital Signature Trust Co.,CN=DST Root CA X3', RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', SHA-1 fingerprint `e6a3b45b062d509b3382282d196efe97d5956ccb'
- Status: The certificate is trusted.
- Description: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-GCM)
- Session ID: 93:23:EB:F9:FA:0B:DB:FD:25:4B:ED:AF:68:04:54:3F:5B:D0:D3:98:40:78:78:3A:4F:5C:29:BF:9C:B4:27:C6
- Ephemeral EC Diffie-Hellman parameters
- Using curve: SECP256R1
- Curve size: 256 bits
- Version: TLS1.2
- Key Exchange: ECDHE-RSA
- Server Signature: RSA-SHA256
- Cipher: AES-128-GCM
- MAC: AEAD
- Compression: NULL
- Options: safe renegotiation,
quit
221 2.0.0 Bye
- Peer has closed the GnuTLS connection


I haven't had a chance to do a deep dive on this, but I'm guessing (and it really is just a guess) that the CentOS upgrade installed a new version of Postfix which deprecated an older version of TLS which check_smtp is using, and which gnutls-cli is not? Gnutls-cli seems to be using TLS v1.2. Or perhaps a cipher has been deprecated that check_smtp is trying to use? I don't see any info about this in the check_smtp man page however, or in the output of check_smtp -?, and am not sure how to determine this?
Last edited by xenium on Mon Jan 07, 2019 10:12 am, edited 1 time in total.
xenium
 
Posts: 3
Joined: Thu Jan 03, 2019 3:27 pm

Re: check_smtp: TLS not supported by server (bug?)

Postby tgriep » Thu Jan 03, 2019 5:19 pm

What version of the check_smtp plugin are you running?
Code: Select all
./check_smtp -V


What I think happened is that the postfix main.cf file was changed and that it is not accepting TLS connections anymore or that the certs were regenerated on the postfix server and that is causing the error.

Try running the command without checking for TLS and see if you get any response from the server.
Code: Select all
check_smtp -H 2602:ffc5:1f::1f:8435 -p 25 -F mail2.nullmodem.org
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
User avatar
tgriep
Madmin
 
Posts: 7452
Joined: Thu Oct 30, 2014 9:02 am

Re: check_smtp: TLS not supported by server (bug?)

Postby xenium » Sat Jan 05, 2019 8:22 am

tgriep wrote:What version of the check_smtp plugin are you running?


check_smtp v2.2.1.git (nagios-plugins 2.2.1)

What I think happened is that the postfix main.cf file was changed and that it is not accepting TLS connections anymore or that the certs were regenerated on the postfix server and that is causing the error.


No, main.cf still has a timestamp of over a year ago, and I diffed it against a backup copy, and they're the same. The certs were not regenerated. I'm not using self-signed certs, I'm using certs signed by Let's Encrypt, and which auto-renew every three months via the acme.sh script run from cron. I included the output of gnutls-cli in my original post above, which shows a connection being made to port 25 of the mail server, a STARTTLS command being executed, and the decoded certificate and CA chain. All is still valid and the correct certs. Mail seems to be flowing normally, and every test I've tried shows that everything is working normally. The only thing that is not working is that check_smtp seems to be falsely reporting "WARNING - TLS not supported by server".

Try running the command without checking for TLS and see if you get any response from the server.


Yes, it works normally:

Code: Select all
check_smtp -H 2602:ffc5:1f::1f:8435 -p 25 -F mail2.nullmodem.org
SMTP OK - 0.516 sec. response time|time=0.515718s;;;0.000000


I'm still guessing that something has changed in Postfix's TLS support, such as the available ciphers or the minimum TLS version, whch check_smtp isn't compatible with. I still haven't had time to start digging into source code though. :-(
xenium
 
Posts: 3
Joined: Thu Jan 03, 2019 3:27 pm

Re: check_smtp: TLS not supported by server (bug?)

Postby xenium » Mon Jan 07, 2019 5:24 am

I'm still waiting for my last reply to this thread to be approved, but I did some more troubleshooting and found that if I rolled back to the previous version of check_smtp things worked normally again:

Code: Select all
# rpm -e --nodeps nagios-plugins-smtp-2-2-1-15.20180725git3429dad.el7.x86_64
# rpm -i --nodeps nagios-plugins-smtp-2.2.1-9git5c7eb5b9.el7.x86_64.rpm


So it looks like this was indeed a bug with this particular release of the check_smtp plugin. I was in the process of filing a Bugzilla report for the epel package when I noticed that a new release was published just yesterday, nagios-plugins-smtp-2.2.1-16.20180725git3429dad.el7. I tried installing this and sure enough, it worked properly as well, so someone must have already discovered the problem and corrected it.

So to summarize:

nagios-plugins-smtp-2.2.1-9git5c7eb5b9.el7 - works properly
nagios-plugins-smtp-2.2.1-15.20180725git3429dad.el7 - breaks TLS test
nagios-plugins-smtp-2.2.1-16.20180725git3429dad.el7 - works properly
xenium
 
Posts: 3
Joined: Thu Jan 03, 2019 3:27 pm

Re: [solved] check_smtp: TLS not supported by server (bug?)

Postby scottwilkerson » Mon Jan 07, 2019 10:55 am

Glad to hear it is resolved!

Locking thread
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
User avatar
scottwilkerson
DevOps Engineer
 
Posts: 12916
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises


Return to Nagios Core

Who is online

Users browsing this forum: No registered users and 17 guests