We had a problem with a mail server this morning (server hung) and the Email Delivery service check results contained the error output from /usr/local/nagios/libexec/check_imap_receive. This output contained the account name and password sent to the server. This was available to anyone who was able to see the service in the Nagios XI GUI and was sent out in the email notifications. This is a bad thing.
Sanitized email contents:
---
***** Nagios XI Alert *****
Nagios has detected a problem with this service.
Notification Type: PROBLEM
Service: Email Delivery
Host: mymailserver.mydomain
Address: 1.2.3.4
State: CRITICAL
Info:
EMAIL DELIVERY CRITICAL - imap failed: IMAP RECEIVE CRITICAL - Could not connect to mymailserver.mydomain port 993: Error sending 1 LOGIN ACCOUNT PASSWORD: Write failed Broken pipe at /usr/local/nagios/libexec/check_imap_receive line 128.
Date/Time: 2014-01-25 07:20:03
---
As a temporary workaround (untested), I changed line 128:
128 #$imap->login() or die "$@"; #20140520
129 $imap->login() or die "LOGIN FAILED"; #20140520
check_imap_receive exposes login/pw in some cases
Re: check_imap_receive exposes login/pw in some cases
Good catch. I'll mention this to our plugin devs.
Former Nagios employee