I have a mail server at host.effortlessis.com set up with LetsEncrypt certificates. Whenever I turn on the smtps test, I get a status RED from xymon with the error message:
Service smtps on host.effortlessis.com is not OK : Service listening but unavailable (SSL error)
Any idea how to resolve this?
Some config details that might help:
xymon-4.3.30 on CentOS Linux release 7.9.2009 (Core) No issues with smtp test.
hosts.cfg 51.68.205.149 host.effortlessis.com # smtp smtps conn imaps sni https:// host.effortlessis.com
server/etc/protocols.cfg [smtps] send "ehlo xymonnet\r\nquit\r\n" expect "220" options ssl,banner port 465
The SSL certificate passes fine if I check it manually. (monitor is the name of the xymon host and I am running this test as the xymon daemon user)
[xymon at monitor ~]$ echo "quit" | openssl s_client -starttls smtp -connect host.effortlessis.com:465 > /dev/null depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = host.effortlessis.com verify return:1 250 SMTPUTF8 DONE
After some squinting, I noticed that smtp service on telnet responds with 220 but over SSL with the openssl command it returns 250. I changed the "expect" parameter in [smtps] section of protocols.cnf to "250" and it made no difference.
Whatever it's complaining about it has something to do with SSL.
Benjamin
Firstly, you'll see 220 at the very start, and then 250 after sending EHLO or HELO. So you were correct the first time, with "expect 220".
Secondly, the mail server uses STARTTLS, so it's not doing encryption at the point that the EHLO and QUIT strings are sent. The "ssl" option in protocols.cfg assumes SSL/TLS is present during the handshake, immediately after the TCP connection is established, rather than after issuing the "send" string. Try removing the "ssl" option from protocols.cfg and see if that helps.
Cheers Jeremy
On Wed, 16 Jun 2021 at 05:07, Lists <lists at benjamindsmith.com> wrote:
After some squinting, I noticed that smtp service on telnet responds with 220 but over SSL with the openssl command it returns 250. I changed the "expect" parameter in [smtps] section of protocols.cnf to "250" and it made no difference.
Whatever it's complaining about it has something to do with SSL.
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
On Tuesday, June 15, 2021 7:46:56 PM PDT Jeremy Laidman wrote:
Benjamin
Firstly, you'll see 220 at the very start, and then 250 after sending EHLO or HELO. So you were correct the first time, with "expect 220".
Thanks Jeremy, I put this back
Secondly, the mail server uses STARTTLS, so it's not doing encryption at the point that the EHLO and QUIT strings are sent. The "ssl" option in protocols.cfg assumes SSL/TLS is present during the handshake, immediately after the TCP connection is established, rather than after issuing the "send" string. Try removing the "ssl" option from protocols.cfg and see if that helps.
And when I do this, it "tests green" but apparently no longer is testing the SSL certificate.
Is there a way to have xymon test the validity and currency of the SSL certificate too? Especially with LetsEncrypt certificates, I'd like to have warning if there is a problem with the postfix certificate config.
Thanks,
Ben
Are you getting an "sslcert" column? It gets generated automatically for https and similar protocols, but I don't know it that's generated for smtps. If it is, you can alert on that column. You can set WARN and PANIC number of days in the hosts.cfg entry.
Ralph Mitchell
On Wed, Jun 16, 2021 at 1:29 AM Lists <lists at benjamindsmith.com> wrote:
On Tuesday, June 15, 2021 7:46:56 PM PDT Jeremy Laidman wrote:
Benjamin
Firstly, you'll see 220 at the very start, and then 250 after sending EHLO or HELO. So you were correct the first time, with "expect 220".
Thanks Jeremy, I put this back
Secondly, the mail server uses STARTTLS, so it's not doing encryption at the point that the EHLO and QUIT strings are sent. The "ssl" option in protocols.cfg assumes SSL/TLS is present during the handshake, immediately after the TCP connection is established, rather than after issuing the "send" string. Try removing the "ssl" option from protocols.cfg and see if that helps.
And when I do this, it "tests green" but apparently no longer is testing the SSL certificate.
Is there a way to have xymon test the validity and currency of the SSL certificate too? Especially with LetsEncrypt certificates, I'd like to have warning if there is a problem with the postfix certificate config.
Thanks,
Ben _______________________________________________ Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
On Tuesday, June 15, 2021 10:40:13 PM PDT Ralph M wrote:
Are you getting an "sslcert" column? It gets generated automatically for https and similar protocols, but I don't know it that's generated for smtps. If it is, you can alert on that column. You can set WARN and PANIC number of days in the hosts.cfg entry.
Well gosh if it isn't there - I just saw the https stuff at the top and didn't connect that smtps would be buried in there as well.
Thank you!
participants (3)
-
jeremy@laidman.org
-
lists@benjamindsmith.com
-
ralphmitchell@gmail.com