Hi,
Is there a way to have Xymon monitor the TLS certificate on SMTP while using SMTP's STARTTLS verb?
I'm already monitoring the certificate on SMTPS (SMTP with implicit TLS on port 465) but I'd like to also monitor the certificate on SMTP+STARTTLS (SMTP with explicit TLS via STARTTLS verb on port 25).
I've got some weird systems where the ports aren't using the same daemon / config, as such I can't rely on both being the same.
-- Grant. . . .
On 01/01/2026 19:55, Grant Taylor via Xymon wrote:
Hi,
Is there a way to have Xymon monitor the TLS certificate on SMTP while using SMTP's STARTTLS verb?
I'm already monitoring the certificate on SMTPS (SMTP with implicit TLS on port 465) but I'd like to also monitor the certificate on SMTP+STARTTLS (SMTP with explicit TLS via STARTTLS verb on port 25).
I've got some weird systems where the ports aren't using the same daemon / config, as such I can't rely on both being the same.
I don't think the builtin SSL test can handle this: "man xymonnet" only refers to STARTTLS in the context of the ldap test.
You could write an extension script using openssl to get and parse the certficate, though:
$ echo | openssl s_client -connect outlook.office.com:587 -starttls smtp 2>/dev/null
will print the certificate, and so you can e.g. get the expiry date via
$ echo | openssl s_client -connect outlook.office.com:587 -starttls smtp 2>/dev/null | openssl x509 -noout -dates
notBefore=Nov 10 00:00:00 2025 GMT notAfter=Nov 9 23:59:59 2026 GMT
Adam
Hi Adam
If not tried then try:
Test certificate on Port 587
This setup verifies SMTP functionality and the TLS certificate used by Postfix on port 587 (submission with STARTTLS).
- Xymon SMTP + TLS certificate test (recommended) analysis.cfg SMTP mail.example.com 587 STARTTLS WARNDAYS=30
What this checks:
SMTP banner and protocol response
STARTTLS negotiation
TLS certificate validity
Certificate expiration (warning 30 days before expiry)
Hostname/FQDN match (CN / SAN)
Br. Jesper - DK
-----Oprindelig meddelelse----- Fra: Adam Thorn via Xymon <xymon@xymon.com> Sendt: 2. januar 2026 13:27 Til: xymon@xymon.com Cc: Adam Thorn <alt36@cam.ac.uk> Emne: [Xymon] Re: SMTP+STARTTLS
On 01/01/2026 19:55, Grant Taylor via Xymon wrote:
Hi,
Is there a way to have Xymon monitor the TLS certificate on SMTP while using SMTP's STARTTLS verb?
I'm already monitoring the certificate on SMTPS (SMTP with implicit TLS on port 465) but I'd like to also monitor the certificate on SMTP+STARTTLS (SMTP with explicit TLS via STARTTLS verb on port 25).
I've got some weird systems where the ports aren't using the same daemon / config, as such I can't rely on both being the same.
I don't think the builtin SSL test can handle this: "man xymonnet" only refers to STARTTLS in the context of the ldap test.
You could write an extension script using openssl to get and parse the certficate, though:
$ echo | openssl s_client -connect outlook.office.com:587 -starttls smtp 2>/dev/null
will print the certificate, and so you can e.g. get the expiry date via
$ echo | openssl s_client -connect outlook.office.com:587 -starttls smtp 2>/dev/null | openssl x509 -noout -dates
notBefore=Nov 10 00:00:00 2025 GMT notAfter=Nov 9 23:59:59 2026 GMT
Adam
Xymon mailing list -- xymon@xymon.com To unsubscribe send an email to xymon-leave@xymon.com
On 1/2/26 9:28 AM, Jesper Jensen wrote:
If not tried then try:
Test certificate on Port 587
This setup verifies SMTP functionality and the TLS certificate used by Postfix on port 587 (submission with STARTTLS).
- Xymon SMTP + TLS certificate test (recommended) analysis.cfg SMTP mail.example.com 587 STARTTLS WARNDAYS=30
Was "SMTP" added as a new config stanza / option in more recent version of Xymon?
I don't see any reference to it in the comments in analysis.cfg nor it's manual page in 4.3.30.
What this checks:
SMTP banner and protocol response
STARTTLS negotiation
TLS certificate validity
Certificate expiration (warning 30 days before expiry)
Hostname/FQDN match (CN / SAN)
I would love to learn more about this.
Is this something available in newer versions? Or is the documentation I'm looking at for 4.3.30 simply missing references to it?
-- Grant. . . .
On 1/2/26 6:26 AM, Adam Thorn via Xymon wrote:
I don't think the builtin SSL test can handle this: "man xymonnet" only refers to STARTTLS in the context of the ldap test.
I wasn't aware of it. Hence asking. :-)
You could write an extension script using openssl to get and parse the certficate, though:
Where can I find more about writing an extension script?
Aside: I wonder if I might be able to (ab)use this to make some nicer SMTP et al. checks that actually speak more of the SMTP protocol to less likely annoy some security monitors; e.g. "<client IP> didn't issue any commands" or "<client IP> sent pre-greeting traffic". -- I can see a lot of value in such extensions, more than just SMTP.
$ echo | openssl s_client -connect outlook.office.com:587 -starttls smtp 2>/dev/null
will print the certificate, and so you can e.g. get the expiry date via
$ echo | openssl s_client -connect outlook.office.com:587 -starttls smtp 2>/dev/null | openssl x509 -noout -dates
notBefore=Nov 10 00:00:00 2025 GMT notAfter=Nov 9 23:59:59 2026 GMT
Yep. I'm well versed in the openssl command. ;-)
What I wasn't aware was possible until reading your reply is creating an extension that can run whatever test I create.
I'm assuming that the extension script is not the same as extensions that are run client side to test additional things. I've got many such client side extensions checking things in Oracle, system multipath, etc.
I'd love to learn that there's a way to extend things on the Xymon server (or proxy server) to test from the central point in more ways.
I've skimmed many Xymon manual pages, but seem to have missed something or otherwise failed to grock server side extensions.
-- Grant. . . .
On 02/01/2026 18:08, Grant Taylor via Xymon wrote:
What I wasn't aware was possible until reading your reply is creating an extension that can run whatever test I create.
I'm assuming that the extension script is not the same as extensions that are run client side to test additional things. I've got many such client side extensions checking things in Oracle, system multipath, etc.
I'd love to learn that there's a way to extend things on the Xymon server (or proxy server) to test from the central point in more ways.
There's not really any difference between server-side and client-side plugins: if you know how to write the latter, you're nearly there with the former!
One source of examples is the debian "hobbit-plugins" package, and specifically the ..../server/ext dir:
https://salsa.debian.org/debian/hobbit-plugins/-/tree/master/src/usr/lib/xym...
The xymongrep command can be used to parse your hosts.cfg file and extract a list of tagged hosts that you want to run your test against:
https://xymon.sourceforge.io/xymon/help/manpages/man1/xymongrep.1.html
Implement whatever test you want, and then just make sure to set the "hostname" parameter in the message sent to xymon. You'll see lines like
my $bb = new Hobbit( { test => 'tftp', hostname => $destination } );
in the examples.
To run the script on your xymon server, drop a cfg file in /etc/xymon/tasks.d/ which is just like the config files you'd put in /etc/xymon/clientlaunch.d/ for a client-side script.
Adam
Hi Adam,
On 1/3/26 4:42 AM, Adam Thorn via Xymon wrote:
There's not really any difference between server-side and client-side plugins: if you know how to write the latter, you're nearly there with the former!
Cool!
One source of examples is the debian "hobbit-plugins" package, and specifically the ..../server/ext dir:
Okay.
https://salsa.debian.org/debian/hobbit-plugins/-/tree/master/src/usr/ lib/xymon/server/ext?ref_type=heads
Thank you for that link as it makes such research very convenient. :-)
The xymongrep command can be used to parse your hosts.cfg file and extract a list of tagged hosts that you want to run your test against:
https://xymon.sourceforge.io/xymon/help/manpages/man1/xymongrep.1.html
I'm aware of xymongrep and I think I understand it's intended use case.
Implement whatever test you want, and then just make sure to set the "hostname" parameter in the message sent to xymon. You'll see lines like
my $bb = new Hobbit( { test => 'tftp', hostname => $destination } );
That looks like it's instantiating $bb as a new Hobbit object with some parameters. Standard Perl methodology.
in the examples.
I will.
To run the script on your xymon server, drop a cfg file in /etc/xymon/ tasks.d/ which is just like the config files you'd put in /etc/xymon/ clientlaunch.d/ for a client-side script. So far I've added stanzas to the singular clientlauch.config (from memory) file. But I can see how those could go in separate files in a directory therefor.
If memory serves, the extensions run their test and output results that get added to the client log that's sent to the Xymon server. The Xymon server then parses them as necessary.
I'm sending a few clear alerts with values (encoded in the way / with the tags that Xymon wants) so that the server can key on the values and standard alerting rules to alter the color. One mail server might alert on 10 messages in the mail queue while another might alert on 250 messages in the mail queue.
I think the most germane thing from the SMTP+STARTTLS or IMAP+STARTTLS or POP3+STARTTLS perspective is passing TLS certificate information to Xymon so that germane details show up on the sslcert page.
I'll definitely be doing some digging as time permits.
Thank you Adam!
-- Grant. . . .
On 03/01/2026 18:42, Grant Taylor via Xymon wrote:
If memory serves, the extensions run their test and output results that get added to the client log that's sent to the Xymon server. The Xymon server then parses them as necessary.
Extension scripts (whether client-side or server-side) just send a message to your xymon server saying "$TESTNAME has colour $COLOUR, message $MESSAGE etc". Look in "man xymon" under "XYMON MESSAGE SYNTAX", for the message-type of "status"
separately there's the suite of reports sent by /usr/lib/xymon/client/bin/xymonclient-linux.sh (or other similar scripts in that directory for other OSs). Run the script manually, and it'll just print a wall of text divided into sections with headers like [date], [uname] etc . When run by xymonclient.sh , that gets sent to your xymon server where it's parsed, with the resulting colours being determined by the contents of your analysis.cfg . For example the [df] section will lead to the report you see under the "disk" test. For full details see xymond/client/linux.c which parses the date from that shell script and sends the various sections to functions with names like unix_TESTNAME_report(). Those functions generally finish by sending a suitable "status" message to the xymon server, just like an extension script does when you call $bb->send().
I'm sending a few clear alerts with values (encoded in the way / with the tags that Xymon wants) so that the server can key on the values and standard alerting rules to alter the color. One mail server might alert on 10 messages in the mail queue while another might alert on 250 messages in the mail queue.
Possible note of caution: by default, clear-coloured messages don't lead to alerts. See the value of ALERTCOLORS in your xymonserver.cfg , which defaults to red, yellow, purple.
Adam
Hi Adam,
On 1/3/26 2:06 PM, Adam Thorn via Xymon wrote:
Extension scripts (whether client-side or server-side) just send a message to your xymon server saying "$TESTNAME has colour $COLOUR, message $MESSAGE etc". Look in "man xymon" under "XYMON MESSAGE SYNTAX", for the message-type of "status"
I'm fairly familiar with client side extensionis. I've created half a dozen or more and am quite happy with them.
separately there's the suite of reports sent by /usr/lib/xymon/client/ bin/xymonclient-linux.sh (or other similar scripts in that directory for other OSs). Run the script manually, and it'll just print a wall of text divided into sections with headers like [date], [uname] etc . When run by xymonclient.sh , that gets sent to your xymon server where it's parsed, with the resulting colours being determined by the contents of your analysis.cfg .
I think I understand that process.
I've got some AIX systems that I've gotten to send status (output from xymonclient-aix.sh) via a wrapper script that's called by cron. I went that route because I don't yet have a compile of Xymon for AIX.
I've recently gotten my hands on a non-production system that I will be installing the GNU toolchain so that I can compile Xymon on AIX. That will allow me to utilize some of the file monitor checks.
Those functions generally finish by sending a suitable "status" message to the xymon server, just like an extension script does when you call $bb->send().
Hum.
Are you suggesting that the Xymon server receives the xymonclient-${OS}.sh script output, processes it, and then turns around and sends status updates the same way that I can use xymonclient to send status updates? -- I naively assumed that it would send them internally via some sort of RPC and not externally.
Possible note of caution: by default, clear-coloured messages don't lead to alerts. See the value of ALERTCOLORS in your xymonserver.cfg , which defaults to red, yellow, purple. Yes, I'm aware. I'm relying on analysis.cfg DS config stanzas to set the color as necessary per host.
The extension sends clear to be generic and able to run across systems. Then each HOST has a proper DS setting for that host.
HOST=host1.example.net DS sendmailq sendmailq.rrd:mqueue >25 COLOR=yellow "TEXT=There are &V messages in the mqueue queue (&L / &U)."
HOST=host2.example.net DS sendmailq sendmailq.rrd:mqueue >5 COLOR=yellow "TEXT=There are &V messages in the mqueue queue (&L / &U)."
That way host1 warns when there are more than 25 messages in the mail queue and host2 warns when there are more than 5 messages in the mail queue. The same script is used to collect data, send a clear message with details.
This has been working great!
Did I miss information about how to get TLS certificate information from my custom server extension to show up on the sslcert page?
I can easily create a script to do the testing, but I don't know how to pass TLS cert details so that they show up on the sslcert page.
-- Grant. . . .
On Thu, 8 Jan 2026 at 12:58, Grant Taylor via Xymon <xymon@xymon.com> wrote: <snip>
Did I miss information about how to get TLS certificate information from my custom server extension to show up on the sslcert page?
I can easily create a script to do the testing, but I don't know how to pass TLS cert details so that they show up on the sslcert page.
The sslcert page is only going to be populated if you have https tests in hosts.cfg. If it's a mail server that's not a webserver, then you won't have an sslcert page. That means all you need to do is send a status message for sslcert, based on your STARTTLS interaction in your script. If your server is both webserver and mailserver, then things are a bit more complicated, which I can go into if this is the case, otherwise I'll assume not.
So the script does something like:
#!/bin/bash HOSTNAME=mail.example.com NEWLINE=$'\n' #bashism cert_is_good() {
fill in details here to test cert text in $1 and return 0 or 1 on status
print out a line for the status message
}
CERT=echo QUIT | openssl s_client -starttls smtp -connect $HOSTNAME:25 2>/dev/null | openssl x509 -noout -text
MSG=cert_is_good "$CERT" && COL=green || COL=red
$XYMON $XYMSRV "status $MAILSERVER.sslcert $COL $MSG$NEWLINE$CERT"
There's no need to make use of the client data message, as was suggested previously. The script is able to determine the status by itself. Client data messages are generally for when the client collects info but the server determines the status. This doesn't appear to be the case here.
You *could* run the script on the client, testing itself and reporting to the Xymon server. Just set MAILSERVER to 127.0.0.1 (or even leave it as is, and it should still work). But that means you need to roll out the script to every mail server you operate, now and in the future.
To better work within the Xymon operating model, your script is essentially replacing a component of the xymonnet process, which runs on the Xymon server. So it would make sense to run the script on the Xymon server. It makes it simpler to scale up and to adapt to changes in your email infrastructure. And it means you don't have to make any changes on your mail server.
A good way to implement such a server-side script is to have it iterate over all hosts that have a specific tag in hosts.cfg. This mirrors the behaviour of xymonnet when you add "conn" or "ssh" to a host entry, causing xymonnet to do its checks on that host. For example, you could add a tag "smtp-starttls" and then a revised form of the script could test all hosts that have this tag. Something like:
#!/bin/bash TAG="smtp-starttls" NEWLINE=$'\n'# bashism cert_is_good() {
do the needful on $1
print one line status message
}
xymongrep $TAG | while read IP HOSTNAME REST; do
CERT=echo QUIT | openssl s_client -starttls smtp -connect $HOSTNAME:25 2>/dev/null | openssl x509 -noout -text
MSG=cert_is_good "$CERT" && COL=green || COL=red
$XYMON $XYMSRV "status $HOSTNAME.sslcert $COL $MSG$NEWLINE$CERT"
done
Then just run this every 5 minutes, probably from an entry in tasks.cfg.
Cheers Jeremy
participants (4)
-
Adam Thorn
-
Grant Taylor
-
Jeremy Laidman
-
Jesper Jensen