Configuring SMTP server with TLS

[genna]

Hi
I'm trying to configure SMTP server for notification and my test email fails with following:

[11-30-2017 15:28:25] SMTP connect() failed. https://github.com/PHPMailer/PHPMailer/ ... leshooting (method=smtp;host=10.132.204.112;port=25;security=tls), Referer: admin/testemail.php

I did tcpdump trace and it appears our mail server sends a certificate and Nagios XI server responds with Unknown CA error message. So I gather I need to import CA Cert into Nagios trust keystore. The question is how do I do it? Which keystore mail sender uses?

Thanks
Genna

[kyang]

Could I ask a few questions? Is this the only error you are receiving?

Could we see the tcpdump?

Did you edit any files or only through the UI with authentication?

Are you using Postfix or Exchange?

On page 5 of the documentation, it talks about SMTP. Have you viewed this?

https://assets.nagios.com/downloads/nag ... ios-XI.pdf

[mcapra]

Is there anything preventing you from installing the CA on the system itself? I don't know what libraries Nagios XI uses off the top of my head, but I can't imagine a situation where this wouldn't solve the problem. There's a handful of guides out there:
https://access.redhat.com/solutions/1519813

This would be a lot easier than providing it with the SSL context established in-code. Installing internal CAs is part of my org's provisioning process (yay Chef).

Also, port 25 is non-standard for TLS so I'd be extra sure your mail server accepts TLS connections on that port. I don't think that's the problem based on your examination of the tcpdump.

[kyang]

Thanks mcapra!

genna, please verify the actual port for TLS.

[genna]

Hi kyang and mcapra

I'm using UI to configure and test email, I have not modified any config files.
I have confirm the port and it is indeed port 25.
I can't provide much detail about SMTP server as it is managed by other part of the organisation and we are 16 hours apart. But from what I understand the server accepts both plain and TLS on the same port and the way it is achieved is via SMTP protocol making connection on plain and then client issuing STARTTLS Command which forces server to switch to TLS interface and start certificate exchange.
So I have tried the test again - this time setting security to none. Unfortunately it does not make any difference. Expecting tcp dump again ( after test with security set to none ) I can see client issuing STARTTLS command ( frame 9 in the trace)
@kyang I'm sending trace file over PM
Thanks
Genna

[genna]

Hi kyang
I have found the problem - and it appears to be a bug in Nagios XI code.
The PHPMailer that Nagios using has the following setting with a comment ( we are using PHP 5.6 ) :

Code: Select all

  /**
     * What kind of encryption to use on the SMTP connection.


     * Options: '', 'ssl' or 'tls'.
     *
     * @var string
     */
    public $SMTPSecure = '';

    /**
     * Whether to enable TLS encryption automatically if a server supports it,
     * even if `SMTPSecure` is not set to 'tls'.
     * Be aware that in PHP >= 5.6 this requires that the server's certificates are valid.
     *
     * @var bool
     */
    public $SMTPAutoTLS = true;

So I have added following lines to utils-email.inc.php :

Code: Select all

     // optionally use TLS or SSL
        if ($smtpsecurity == "tls") {
            $mail->SMTPSecure = "tls";
            $debuginfo .= ";security=tls";
        } else if ($smtpsecurity == "ssl") {
            $mail->SMTPSecure = "ssl";
            $debuginfo .= ";security=ssl";
        } else {
           // Genna's Changes - start
           $mail->SMTPSecure = "";   // This is just a good development practice not to rely on defaults
           $mail->SMTPAutoTLS = false;  // This is to ensure TLS does not kick in automatically
           // Genna's Changes - end
           $debuginfo .= ";security=none";
        }

I hope you can accept those changes ( or come up with something better ) - I would hate to maintain deviations
Regards
Genna

[kyang]

Overall, you don't want it to use STARTTLS?

I mentioned this, and it's normal. It's supposed to do that.

If that change works for you, then it's a good thing that it's working.

It's less so a bug, but more a preference.

Were there any more questions or are we okay to lock this up?

[genna]

Hi kyang
I'm afraid I'm still having a problem. It appears alerting via email is not using SMTP server, but instead tries to use sendmail option
I'm testing email alert notification and I'm not getting an email. I can send test email from Admin "Manage email setting" page. I can also send email from Account "Send Test Notification" page. I also receive emails when account is created. However when alert is triggered the email is not send. In /usr/local/nagiosxi/tmp/phpmailer.log I can see those entries:

[12-05-2017 11:53:29] Message sent! (method=smtp;host=10.132.204.112;port=25;security=none), Referer: admin/users.php > Account Creation
[12-05-2017 12:07:59] Message sent! (method=smtp;host=10.132.204.112;port=25;security=none), Referer: admin/users.php > Account Creation
[12-05-2017 13:30:45] Message sent! (method=smtp;host=10.132.204.112;port=25;security=none), Referer: account/testnotification.php > PHPmailer Test
[12-05-2017 14:43:45] Message sent! (method=smtp;host=10.132.204.112;port=25;security=none), Referer: admin/testemail.php

That corresponds to all emails I have received.
In /var/log/maillog I can see this:

[root@int-dev-nag-wm var]# less /var/log/maillog | grep reingold
Dec 5 14:23:08 int-dev-nag-wm postfix/smtp[13158]: 2125B406CD92: to=<[email protected]>, relay=none, delay=30, delays=0.03/0.04/30/0, dsn=4.4.1, status=deferred (connect to fisglobal.com[156.55.138.18]:25: Connection timed out)
Dec 5 14:32:22 int-dev-nag-wm postfix/smtp[16587]: 2125B406CD92: to=<[email protected]>, relay=none, delay=584, delays=554/0.09/30/0, dsn=4.4.1, status=deferred (connect to fisglobal.com[156.55.138.18]:25: Connection timed out)
Dec 5 14:47:23 int-dev-nag-wm postfix/smtp[22434]: 2125B406CD92: to=<[email protected]>, relay=none, delay=1485, delays=1454/0.05/30/0, dsn=4.4.1, status=deferred (connect to fisglobal.com[156.55.138.18]:25: Connection timed out)

This corresponds to 3 alert events and I have not received any of them. It also trying to connect to fisglobal.com[156.55.138.18]:25 which is not what is configured in SMPT hosts setting. It is the error I used to get when testing via sendmail.

[genna]

Hi kyang
I have uploaded profile in PM.
The user that should have receive email is test_crit.

[cdienger]

Hi Genna! Sorry for the inconvenince, but Kevin is out today. Please PM me the profile instead and I'll take a look.