[solved] check_smtp: TLS not supported by server (bug?)

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
xenium
Posts: 3
Joined: Thu Jan 03, 2019 3:27 pm

[solved] check_smtp: TLS not supported by server (bug?)

Post by xenium »

I have Nagios Core running on a CentOS server, monitoring (among other things) TLS certs for Postfix, which is also running on a CentOS server.

Both the Nagios and Postfix servers were upgraded from CentOS 7.5 to CentOS 7.6. After the upgrade, check_smtp began reporting "WARNING - TLS not supported by server". Prior to the upgrade the check_smtp plugin was able to successfully test the TLS cert.

No changes have been made to the configuration of either server. Only a single "yum update" command was used to perform the upgrade on each server.

The command line I am using is:

Code: Select all

check_smtp -H 2602:ffc5:1f::1f:8435 -p 25 -F mail2.nullmodem.org -S -D 21,7
This is the plugin output:

Code: Select all

WARNING - TLS not supported by server
This is the plugin output if I add -v to the command line:

Code: Select all

HELOCMD: EHLO mail2.nullmodem.org
Sending header PROXY TCP4 0.0.0.0 0.0.0.0 25 25

220 vps1.nullmodem.org ESMTP Postfix
WARNING - TLS not supported by server
sent QUIT
received 250-vps1.nullmodem.org
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
My first guess was that the upgrade had actually broken TLS, and that check_smtp was reporting accurate results. However, testing the TLS connection with gnutls-cli shows that TLS *is* available and working properly, and that the certificate and CA chain are valid:

Code: Select all

# gnutls-cli --starttls --port 25 mail2.nullmodem.org
Processed 151 CA certificate(s).
Resolving 'mail2.nullmodem.org'...
Connecting to '2602:ffc5:1f::1f:8435:25'...

- Simple Client Mode:

220 vps1.nullmodem.org ESMTP Postfix
ehlo vps1
250-vps1.nullmodem.org
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
starttls
220 2.0.0 Ready to start TLS
*** Starting TLS handshake
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `CN=mail2.nullmodem.org', issuer `C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3', RSA key 2048 bits, signed using RSA-SHA256, activated `2018-11-05 07:16:13 UTC', expires `2019-02-03 07:16:13 UTC', SHA-1 fingerprint `2df33c8d4f40b220a5964edc0a0c199fb54119b1'
        Public Key ID:
                15da33ba3435010340056691d0693256623cdd74
        Public key's random art:
                +--[ RSA 2048]----+
                | .+*OX+.E.o      |
                | .*+* .. + o     |
                | . =    . B      |
                |         + +     |
                |        S        |
                |       . o       |
                |        .        |
                |                 |
                |                 |
                +-----------------+

- Certificate[1] info:
 - subject `C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3', issuer `O=Digital Signature Trust Co.,CN=DST Root CA X3', RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', SHA-1 fingerprint `e6a3b45b062d509b3382282d196efe97d5956ccb'
- Status: The certificate is trusted.
- Description: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-GCM)
- Session ID: 93:23:EB:F9:FA:0B:DB:FD:25:4B:ED:AF:68:04:54:3F:5B:D0:D3:98:40:78:78:3A:4F:5C:29:BF:9C:B4:27:C6
- Ephemeral EC Diffie-Hellman parameters
 - Using curve: SECP256R1
 - Curve size: 256 bits
- Version: TLS1.2
- Key Exchange: ECDHE-RSA
- Server Signature: RSA-SHA256
- Cipher: AES-128-GCM
- MAC: AEAD
- Compression: NULL
- Options: safe renegotiation,
quit
221 2.0.0 Bye
- Peer has closed the GnuTLS connection
I haven't had a chance to do a deep dive on this, but I'm guessing (and it really is just a guess) that the CentOS upgrade installed a new version of Postfix which deprecated an older version of TLS which check_smtp is using, and which gnutls-cli is not? Gnutls-cli seems to be using TLS v1.2. Or perhaps a cipher has been deprecated that check_smtp is trying to use? I don't see any info about this in the check_smtp man page however, or in the output of check_smtp -?, and am not sure how to determine this?
Last edited by xenium on Mon Jan 07, 2019 10:12 am, edited 1 time in total.
User avatar
tgriep
Madmin
Posts: 9177
Joined: Thu Oct 30, 2014 9:02 am

Re: check_smtp: TLS not supported by server (bug?)

Post by tgriep »

What version of the check_smtp plugin are you running?

Code: Select all

./check_smtp -V
What I think happened is that the postfix main.cf file was changed and that it is not accepting TLS connections anymore or that the certs were regenerated on the postfix server and that is causing the error.

Try running the command without checking for TLS and see if you get any response from the server.

Code: Select all

check_smtp -H 2602:ffc5:1f::1f:8435 -p 25 -F mail2.nullmodem.org
Be sure to check out our Knowledgebase for helpful articles and solutions!
xenium
Posts: 3
Joined: Thu Jan 03, 2019 3:27 pm

Re: check_smtp: TLS not supported by server (bug?)

Post by xenium »

tgriep wrote:What version of the check_smtp plugin are you running?
check_smtp v2.2.1.git (nagios-plugins 2.2.1)
What I think happened is that the postfix main.cf file was changed and that it is not accepting TLS connections anymore or that the certs were regenerated on the postfix server and that is causing the error.
No, main.cf still has a timestamp of over a year ago, and I diffed it against a backup copy, and they're the same. The certs were not regenerated. I'm not using self-signed certs, I'm using certs signed by Let's Encrypt, and which auto-renew every three months via the acme.sh script run from cron. I included the output of gnutls-cli in my original post above, which shows a connection being made to port 25 of the mail server, a STARTTLS command being executed, and the decoded certificate and CA chain. All is still valid and the correct certs. Mail seems to be flowing normally, and every test I've tried shows that everything is working normally. The only thing that is not working is that check_smtp seems to be falsely reporting "WARNING - TLS not supported by server".
Try running the command without checking for TLS and see if you get any response from the server.
Yes, it works normally:

Code: Select all

check_smtp -H 2602:ffc5:1f::1f:8435 -p 25 -F mail2.nullmodem.org
SMTP OK - 0.516 sec. response time|time=0.515718s;;;0.000000
I'm still guessing that something has changed in Postfix's TLS support, such as the available ciphers or the minimum TLS version, whch check_smtp isn't compatible with. I still haven't had time to start digging into source code though. :-(
xenium
Posts: 3
Joined: Thu Jan 03, 2019 3:27 pm

Re: check_smtp: TLS not supported by server (bug?)

Post by xenium »

I'm still waiting for my last reply to this thread to be approved, but I did some more troubleshooting and found that if I rolled back to the previous version of check_smtp things worked normally again:

Code: Select all

# rpm -e --nodeps nagios-plugins-smtp-2-2-1-15.20180725git3429dad.el7.x86_64
# rpm -i --nodeps nagios-plugins-smtp-2.2.1-9git5c7eb5b9.el7.x86_64.rpm
So it looks like this was indeed a bug with this particular release of the check_smtp plugin. I was in the process of filing a Bugzilla report for the epel package when I noticed that a new release was published just yesterday, nagios-plugins-smtp-2.2.1-16.20180725git3429dad.el7. I tried installing this and sure enough, it worked properly as well, so someone must have already discovered the problem and corrected it.

So to summarize:

nagios-plugins-smtp-2.2.1-9git5c7eb5b9.el7 - works properly
nagios-plugins-smtp-2.2.1-15.20180725git3429dad.el7 - breaks TLS test
nagios-plugins-smtp-2.2.1-16.20180725git3429dad.el7 - works properly
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: [solved] check_smtp: TLS not supported by server (bug?)

Post by scottwilkerson »

Glad to hear it is resolved!

Locking thread
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
Locked