Page 1 of 1

[solved] check_smtp: TLS not supported by server (bug?)

Posted: Thu Jan 03, 2019 4:03 pm
by xenium
I have Nagios Core running on a CentOS server, monitoring (among other things) TLS certs for Postfix, which is also running on a CentOS server.

Both the Nagios and Postfix servers were upgraded from CentOS 7.5 to CentOS 7.6. After the upgrade, check_smtp began reporting "WARNING - TLS not supported by server". Prior to the upgrade the check_smtp plugin was able to successfully test the TLS cert.

No changes have been made to the configuration of either server. Only a single "yum update" command was used to perform the upgrade on each server.

The command line I am using is:

Code: Select all

check_smtp -H 2602:ffc5:1f::1f:8435 -p 25 -F mail2.nullmodem.org -S -D 21,7
This is the plugin output:

Code: Select all

WARNING - TLS not supported by server
This is the plugin output if I add -v to the command line:

Code: Select all

HELOCMD: EHLO mail2.nullmodem.org
Sending header PROXY TCP4 0.0.0.0 0.0.0.0 25 25

220 vps1.nullmodem.org ESMTP Postfix
WARNING - TLS not supported by server
sent QUIT
received 250-vps1.nullmodem.org
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
My first guess was that the upgrade had actually broken TLS, and that check_smtp was reporting accurate results. However, testing the TLS connection with gnutls-cli shows that TLS *is* available and working properly, and that the certificate and CA chain are valid:

Code: Select all

# gnutls-cli --starttls --port 25 mail2.nullmodem.org
Processed 151 CA certificate(s).
Resolving 'mail2.nullmodem.org'...
Connecting to '2602:ffc5:1f::1f:8435:25'...

- Simple Client Mode:

220 vps1.nullmodem.org ESMTP Postfix
ehlo vps1
250-vps1.nullmodem.org
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
starttls
220 2.0.0 Ready to start TLS
*** Starting TLS handshake
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `CN=mail2.nullmodem.org', issuer `C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3', RSA key 2048 bits, signed using RSA-SHA256, activated `2018-11-05 07:16:13 UTC', expires `2019-02-03 07:16:13 UTC', SHA-1 fingerprint `2df33c8d4f40b220a5964edc0a0c199fb54119b1'
        Public Key ID:
                15da33ba3435010340056691d0693256623cdd74
        Public key's random art:
                +--[ RSA 2048]----+
                | .+*OX+.E.o      |
                | .*+* .. + o     |
                | . =    . B      |
                |         + +     |
                |        S        |
                |       . o       |
                |        .        |
                |                 |
                |                 |
                +-----------------+

- Certificate[1] info:
 - subject `C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3', issuer `O=Digital Signature Trust Co.,CN=DST Root CA X3', RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', SHA-1 fingerprint `e6a3b45b062d509b3382282d196efe97d5956ccb'
- Status: The certificate is trusted.
- Description: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-GCM)
- Session ID: 93:23:EB:F9:FA:0B:DB:FD:25:4B:ED:AF:68:04:54:3F:5B:D0:D3:98:40:78:78:3A:4F:5C:29:BF:9C:B4:27:C6
- Ephemeral EC Diffie-Hellman parameters
 - Using curve: SECP256R1
 - Curve size: 256 bits
- Version: TLS1.2
- Key Exchange: ECDHE-RSA
- Server Signature: RSA-SHA256
- Cipher: AES-128-GCM
- MAC: AEAD
- Compression: NULL
- Options: safe renegotiation,
quit
221 2.0.0 Bye
- Peer has closed the GnuTLS connection
I haven't had a chance to do a deep dive on this, but I'm guessing (and it really is just a guess) that the CentOS upgrade installed a new version of Postfix which deprecated an older version of TLS which check_smtp is using, and which gnutls-cli is not? Gnutls-cli seems to be using TLS v1.2. Or perhaps a cipher has been deprecated that check_smtp is trying to use? I don't see any info about this in the check_smtp man page however, or in the output of check_smtp -?, and am not sure how to determine this?

Re: check_smtp: TLS not supported by server (bug?)

Posted: Thu Jan 03, 2019 5:19 pm
by tgriep
What version of the check_smtp plugin are you running?

Code: Select all

./check_smtp -V
What I think happened is that the postfix main.cf file was changed and that it is not accepting TLS connections anymore or that the certs were regenerated on the postfix server and that is causing the error.

Try running the command without checking for TLS and see if you get any response from the server.

Code: Select all

check_smtp -H 2602:ffc5:1f::1f:8435 -p 25 -F mail2.nullmodem.org

Re: check_smtp: TLS not supported by server (bug?)

Posted: Sat Jan 05, 2019 8:22 am
by xenium
tgriep wrote:What version of the check_smtp plugin are you running?
check_smtp v2.2.1.git (nagios-plugins 2.2.1)
What I think happened is that the postfix main.cf file was changed and that it is not accepting TLS connections anymore or that the certs were regenerated on the postfix server and that is causing the error.
No, main.cf still has a timestamp of over a year ago, and I diffed it against a backup copy, and they're the same. The certs were not regenerated. I'm not using self-signed certs, I'm using certs signed by Let's Encrypt, and which auto-renew every three months via the acme.sh script run from cron. I included the output of gnutls-cli in my original post above, which shows a connection being made to port 25 of the mail server, a STARTTLS command being executed, and the decoded certificate and CA chain. All is still valid and the correct certs. Mail seems to be flowing normally, and every test I've tried shows that everything is working normally. The only thing that is not working is that check_smtp seems to be falsely reporting "WARNING - TLS not supported by server".
Try running the command without checking for TLS and see if you get any response from the server.
Yes, it works normally:

Code: Select all

check_smtp -H 2602:ffc5:1f::1f:8435 -p 25 -F mail2.nullmodem.org
SMTP OK - 0.516 sec. response time|time=0.515718s;;;0.000000
I'm still guessing that something has changed in Postfix's TLS support, such as the available ciphers or the minimum TLS version, whch check_smtp isn't compatible with. I still haven't had time to start digging into source code though. :-(

Re: check_smtp: TLS not supported by server (bug?)

Posted: Mon Jan 07, 2019 5:24 am
by xenium
I'm still waiting for my last reply to this thread to be approved, but I did some more troubleshooting and found that if I rolled back to the previous version of check_smtp things worked normally again:

Code: Select all

# rpm -e --nodeps nagios-plugins-smtp-2-2-1-15.20180725git3429dad.el7.x86_64
# rpm -i --nodeps nagios-plugins-smtp-2.2.1-9git5c7eb5b9.el7.x86_64.rpm
So it looks like this was indeed a bug with this particular release of the check_smtp plugin. I was in the process of filing a Bugzilla report for the epel package when I noticed that a new release was published just yesterday, nagios-plugins-smtp-2.2.1-16.20180725git3429dad.el7. I tried installing this and sure enough, it worked properly as well, so someone must have already discovered the problem and corrected it.

So to summarize:

nagios-plugins-smtp-2.2.1-9git5c7eb5b9.el7 - works properly
nagios-plugins-smtp-2.2.1-15.20180725git3429dad.el7 - breaks TLS test
nagios-plugins-smtp-2.2.1-16.20180725git3429dad.el7 - works properly

Re: [solved] check_smtp: TLS not supported by server (bug?)

Posted: Mon Jan 07, 2019 10:55 am
by scottwilkerson
Glad to hear it is resolved!

Locking thread