Hi
I am trying to configure Nagios xi 5.7.1 to connect to our Postfix Servers over TLS
When I change the Security to TLS I get the following message
2021-03-25 16:23:09 SMTP -> get_lines(): $str is "220 2.0.0 Ready to start TLS"
2021-03-25 16:23:09 SERVER -> CLIENT: 220 2.0.0 Ready to start TLS
2021-03-25 16:23:09 Connection failed. Error #2: stream_socket_enable_crypto(): SSL: Connection reset by peer [/usr/local/nagiosxi/html/includes/phpmailer/class.smtp.php line 375]
SMTP Error: Could not connect to SMTP host.
2021-03-25 16:23:09 CLIENT -> SERVER: QUIT
2021-03-25 16:23:09 Connection failed. Error #8: fwrite(): send of 6 bytes failed with errno=32 Broken pipe [/usr/local/nagiosxi/html/includes/phpmailer/class.smtp.php line 999]
2021-03-25 16:23:09 SERVER -> CLIENT:
2021-03-25 16:23:09 SMTP ERROR: QUIT command failed:
2021-03-25 16:23:09 Connection: closed
SMTP connect() failed. https://github.com/PHPMailer/PHPMailer/ ... leshooting
Everything before this has code 250
I can connect to the same Postfix Servers from other Servers (Windows) via TLS
When I run the following openssl command
openssl s_client -starttls smtp -connect POSTFIXSEREVR:25
I get all the details of the Certificate
The Certificate is made up of
CommonName - External VIP Name of the Postfix Servers
DNS1 Internal Name for the same Postfix Servers (This is what we connect to)
Signed by our Internal CA Server
The Connection to the Postfix Servers over Port 25 is open and there is no userid and password required
Could it be that the Certificate needs to be imported into the Nagios Server or the CA Root Certificate ?
Thanks
Sending EMail via TLS
Re: Sending EMail via TLS
Encrypted communication to mail servers is typically one of two routes:
1. SSL connection on port 465 or 587.
2. Plaintext connection on port 25 where TLS encryption is negotiated in plaintext via a "STARTTLS" command.
Can you change the port to 465 and turn on SSL?
And if that doesn't work, try port 587.
What's the full output from the following commands?
1. SSL connection on port 465 or 587.
2. Plaintext connection on port 25 where TLS encryption is negotiated in plaintext via a "STARTTLS" command.
Can you change the port to 465 and turn on SSL?
And if that doesn't work, try port 587.
What's the full output from the following commands?
Code: Select all
openssl s_client -connect <MAIL SERVER ADDRESS>:465 </dev/null
openssl s_client -connect <MAIL SERVER ADDRESS>:587 </dev/null
If you didn't get an 8% raise over the course of the pandemic, you took a pay cut.
Discussion of wages is protected speech under the National Labor Relations Act, and no employer can tell you you can't disclose your pay with your fellow employees.
Discussion of wages is protected speech under the National Labor Relations Act, and no employer can tell you you can't disclose your pay with your fellow employees.
Re: Sending EMail via TLS
Hi
When send EMails via SSL over Ports 465 and 587 I get the following message
A test email was sent to [email protected]
----
Mailer said: [03-29-2021 04:00:28] SMTP connect() failed. https://github.com/PHPMailer/PHPMailer/ ... leshooting (method=smtp;host=wayopsmail.hosting.knxa;port=587;security=ssl), Referer: admin/testemail.php
An error occurred sending a test email!
Here is the Output from the commands you requested, as Ports 465 and 587 gave the same results I tested the command against Port 25
[root@swy01opngios02 ~]# openssl s_client -connect wayopsmail.hosting.knxa:465 </dev/null
socket: Bad file descriptor
connect:errno=9
[root@swy01opngios02 ~]# openssl s_client -connect wayopsmail.hosting.knxa:587 </dev/null
socket: Bad file descriptor
connect:errno=9
[root@swy01opngios02 ~]# openssl s_client -connect wayopsmail.hosting.knxa:25 </dev/null
CONNECTED(00000003)
139672280930192:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1617004478
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
[root@swy01opngios02 ~]#
When send EMails via SSL over Ports 465 and 587 I get the following message
A test email was sent to [email protected]
----
Mailer said: [03-29-2021 04:00:28] SMTP connect() failed. https://github.com/PHPMailer/PHPMailer/ ... leshooting (method=smtp;host=wayopsmail.hosting.knxa;port=587;security=ssl), Referer: admin/testemail.php
An error occurred sending a test email!
Here is the Output from the commands you requested, as Ports 465 and 587 gave the same results I tested the command against Port 25
[root@swy01opngios02 ~]# openssl s_client -connect wayopsmail.hosting.knxa:465 </dev/null
socket: Bad file descriptor
connect:errno=9
[root@swy01opngios02 ~]# openssl s_client -connect wayopsmail.hosting.knxa:587 </dev/null
socket: Bad file descriptor
connect:errno=9
[root@swy01opngios02 ~]# openssl s_client -connect wayopsmail.hosting.knxa:25 </dev/null
CONNECTED(00000003)
139672280930192:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1617004478
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
[root@swy01opngios02 ~]#
Re: Sending EMail via TLS
Can you try it with every possible combination of security types: SSL/TLS/None?
Does the postfix log on the SMTP server indicate anything?
Does the "sendmail" email configuration work (i.e. set email to Sendmail under Admin => Email Settings)?
Does the postfix log on the SMTP server indicate anything?
Does the "sendmail" email configuration work (i.e. set email to Sendmail under Admin => Email Settings)?
If you didn't get an 8% raise over the course of the pandemic, you took a pay cut.
Discussion of wages is protected speech under the National Labor Relations Act, and no employer can tell you you can't disclose your pay with your fellow employees.
Discussion of wages is protected speech under the National Labor Relations Act, and no employer can tell you you can't disclose your pay with your fellow employees.
Re: Sending EMail via TLS
Hi
We do not use the sendmail method we use SMTP and connect to a Postfix Server
With the SMTP Confiiguration
Host <POSTFIX SEREVR>
port 25
Username and Password <blank>
Security
None EMails are sent no problem
TLS
Mar 30 03:34:05 swy01opintml04 postfix/smtpd[32760]: connect from unknown[172.21.20.12]
Mar 30 03:34:05 swy01opintml04 postfix/smtpd[32760]: SSL_accept error from unknown[172.21.20.12]: -1
Mar 30 03:34:05 swy01opintml04 postfix/smtpd[32760]: warning: TLS library problem: 32760:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:
Mar 30 03:34:05 swy01opintml04 postfix/smtpd[32760]: lost connection after STARTTLS from unknown[172.21.20.12]
Mar 30 03:34:05 swy01opintml04 postfix/smtpd[32760]: disconnect from unknown[172.21.20.12]
SSL
Mar 30 03:35:42 swy01opintml04 postfix/smtpd[32760]: connect from unknown[172.21.20.12]
Mar 30 03:35:42 swy01opintml04 postfix/smtpd[32760]: lost connection after UNKNOWN from unknown[172.21.20.12]
Mar 30 03:35:42 swy01opintml04 postfix/smtpd[32760]: disconnect from unknown[172.21.20.12]
I am not sure what System / Device 172.21.20.12 is but I will ask the network Team when they come online later today
Thanks
We do not use the sendmail method we use SMTP and connect to a Postfix Server
With the SMTP Confiiguration
Host <POSTFIX SEREVR>
port 25
Username and Password <blank>
Security
None EMails are sent no problem
TLS
Mar 30 03:34:05 swy01opintml04 postfix/smtpd[32760]: connect from unknown[172.21.20.12]
Mar 30 03:34:05 swy01opintml04 postfix/smtpd[32760]: SSL_accept error from unknown[172.21.20.12]: -1
Mar 30 03:34:05 swy01opintml04 postfix/smtpd[32760]: warning: TLS library problem: 32760:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:
Mar 30 03:34:05 swy01opintml04 postfix/smtpd[32760]: lost connection after STARTTLS from unknown[172.21.20.12]
Mar 30 03:34:05 swy01opintml04 postfix/smtpd[32760]: disconnect from unknown[172.21.20.12]
SSL
Mar 30 03:35:42 swy01opintml04 postfix/smtpd[32760]: connect from unknown[172.21.20.12]
Mar 30 03:35:42 swy01opintml04 postfix/smtpd[32760]: lost connection after UNKNOWN from unknown[172.21.20.12]
Mar 30 03:35:42 swy01opintml04 postfix/smtpd[32760]: disconnect from unknown[172.21.20.12]
I am not sure what System / Device 172.21.20.12 is but I will ask the network Team when they come online later today
Thanks
Re: Sending EMail via TLS
Hi
warning: TLS library problem: 32760:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:
Is the Nagios Server trying to use TLSv1.0 if so is there a way to force nagios to use TLSv1.2 or 1.3
Thanks
warning: TLS library problem: 32760:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:
Is the Nagios Server trying to use TLSv1.0 if so is there a way to force nagios to use TLSv1.2 or 1.3
Thanks
Re: Sending EMail via TLS
If your OpenSSL version is less than 1.1.0 ON BOTH SERVERS you'll not be able to use TLS1.3.
Nagios already tries to connect using TLS1.2. Forcing TLS1.2 will only make it fail to connect if the SMTP server doesn't support it.
What's the output from the following command on both servers?
Nagios already tries to connect using TLS1.2. Forcing TLS1.2 will only make it fail to connect if the SMTP server doesn't support it.
What's the output from the following command on both servers?
Code: Select all
openssl versionIf you didn't get an 8% raise over the course of the pandemic, you took a pay cut.
Discussion of wages is protected speech under the National Labor Relations Act, and no employer can tell you you can't disclose your pay with your fellow employees.
Discussion of wages is protected speech under the National Labor Relations Act, and no employer can tell you you can't disclose your pay with your fellow employees.
Re: Sending EMail via TLS
Hi
When I run the openssl version command on both our Nagios Server and our Postfix Server I get the same output
[root@swy01opngios02 ~]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
[root@swy01opngios02 ~]#
and the funny thing is I have just tried on another system and that system will send with the Security Option TLS Selected
The Postfix and the nagios Server in both location are configured the same way
and they have the same OpenSSL version as above
I see the following message in the logs on the Postfix Server
postfix/smtpd[14167]: Anonymous TLS connection established from unknown[9.37.34.6]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
9.37.34.6 - is one of our Load Balancer's
On the Servers that don't work I get this message
lost connection after STARTTLS from unknown[172.21.20.12]
172.21.20.12 - Is another Load Balancer's in this other site
So let me check with our Networking Team so see if they can spot any differences
Thanks
When I run the openssl version command on both our Nagios Server and our Postfix Server I get the same output
[root@swy01opngios02 ~]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
[root@swy01opngios02 ~]#
and the funny thing is I have just tried on another system and that system will send with the Security Option TLS Selected
The Postfix and the nagios Server in both location are configured the same way
and they have the same OpenSSL version as above
I see the following message in the logs on the Postfix Server
postfix/smtpd[14167]: Anonymous TLS connection established from unknown[9.37.34.6]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
9.37.34.6 - is one of our Load Balancer's
On the Servers that don't work I get this message
lost connection after STARTTLS from unknown[172.21.20.12]
172.21.20.12 - Is another Load Balancer's in this other site
So let me check with our Networking Team so see if they can spot any differences
Thanks
Re: Sending EMail via TLS
Okay, that's interesting. Obviously there's more going on to the network infrastructure than meets the eye (perhaps even the load balancer only supports TLS 1.0 - who can say?
Let me know what your network team has to say.
Let me know what your network team has to say.
If you didn't get an 8% raise over the course of the pandemic, you took a pay cut.
Discussion of wages is protected speech under the National Labor Relations Act, and no employer can tell you you can't disclose your pay with your fellow employees.
Discussion of wages is protected speech under the National Labor Relations Act, and no employer can tell you you can't disclose your pay with your fellow employees.
Re: Sending EMail via TLS
Hi
I did more testing and I have noticed that if I hash out these lines in the Postfix config the emails are sent correctly
#smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
#smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
#smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
#smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
So looks like Nagios is trying to connect via TLSv1
Can you tell me how to configure Nagios to use TLSv1.2 or TLS1.3
With these lines enabled I get the message that is seen on the following URL
https://tinycp.com/community/show/solve ... -c,23.html
I did more testing and I have noticed that if I hash out these lines in the Postfix config the emails are sent correctly
#smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
#smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
#smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
#smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
So looks like Nagios is trying to connect via TLSv1
Can you tell me how to configure Nagios to use TLSv1.2 or TLS1.3
With these lines enabled I get the message that is seen on the following URL
https://tinycp.com/community/show/solve ... -c,23.html