monit-general
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: correct STARTTLS syntax for email alerts?

From: David Newman
Subject: Re: correct STARTTLS syntax for email alerts?
Date: Mon, 30 Jul 2018 14:08:22 -0700
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 
On 7/30/18 12:05 PM, address@hidden wrote:
> Thanks for data.
> 
> I tried to reproduce the problem with the following configuration and it 
> seems to work correctly:
> 
> set mailserver mail8.networktest.com port 587
>         username "test" password "123456"
>         using tls
> 
> I get "Mail: Mailserver response error -- 535 5.7.8 Error: authentication 
> failed" but that is expected (i didn't use real credentials). The credentials 
> are send by monit past the STARTTLS command and the server didn't indicate 
> the STARTLS error.
> 
> Please can you verify you monit is compiled with SSL?:
> 
>       monit -V

Yes, it appears to be:

This is Monit version 5.25.2
Built with ssl, with ipv6, with compression, with pam and with large files
Copyright (C) 2001-2018 Tildeslash Ltd. All Rights Reserved.
dh

This is on FreeBSD 11.2-RELEASE, compiled from ports.

One delta between our configs, if it matters, is that your has 'set tls'
instead of 'set ssl' in the 'set mailserver' definition. I don't think
that's significant, as I changed mine, restarted monit, and saw the same
STARTTLS error as before. I also tried commenting out the 'pemfile:'
line in the 'set ssl' definition but that also had no effect.

An openssl STARTTLS handshake works OK from this server's command line.
Output below.

Anything else I need to check in the monit config?

Thanks

dn


$ openssl s_client -connect mail8.networktest.com:587 -starttls smtp
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = mail8.networktest.com
verify return:1
---
Certificate chain
 0 s:/CN=mail8.networktest.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIIjTCCB3WgAwIBAgISBN1aemqlVTdUmOJrX9BC59GGMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA2MDExMDAyMDRaFw0x
ODA4MzAxMDAyMDRaMCAxHjAcBgNVBAMTFW1haWw4Lm5ldHdvcmt0ZXN0LmNvbTCC
AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOI+gmM93ItcpEKZ34Ent14i
Qd5rZ8bQFVJipwdxxkIgKWpUz6AJy4kaO0IIEDSquk7GTTpTFVsEcO+OVFDoE6Sg
qo9S/oe7z1iOW6XVfoQb0PNp5yFdmTVP/fpYydxcZL34QDlP1+O1TRY0hTK6aOaq
QkKnHrfFLiaKcLePKFcEPZgZW3aDPT3u3E38A9YFsOKaCQStZJxziV1QiaD4WlcJ
qZWLfYSMR2DB7xMsSF+NXwItk9+fEl3yYDt3EwCXBWxE8lITUp5dq/bj03WhWpGe
XD/e2WX0OUHClz1OH/NghnbMuBnL3jqEG/NXLKREqdDNdCfTA5krZZmNbuYx0qmR
aosBLiteQf8XurK8wvg6jGxdrqZ0DudYPOADxRilHi27qse74OIoGJO6xxvrpzQt
AZBvOIS6jM8MPrX1RdSE83LUqIzzAormy91Pb4gmSXvVywyoR5yqBiX3bmskzJdX
BABsQ/vC8JYyszLpikZz4cYMfjpI15JwofaKIXeScwDR3rjXLcrmxk92J6dI3E1Y
0zaHaXb45ltUvT6mVqudWYNop/JAyxAcrH5pZ4TdUfeJjQDn5+H5p9EfXx8Q3eXE
JdjRKmNIFjQvD9K3dNPi1QEkS8skv2t9LT5LydztovNvo9IpLsFBC92nFIPBpiHo
Q/FOt/GOvEn05X4NROLLAgMBAAGjggSVMIIEkTAOBgNVHQ8BAf8EBAMCBaAwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0O
BBYEFLf08/9lmzsV+4SHI1UoJXPMnstCMB8GA1UdIwQYMBaAFKhKamMEfd265tE5
t6ZFZe/zqOyhMG8GCCsGAQUFBwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29j
c3AuaW50LXgzLmxldHNlbmNyeXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2Nl
cnQuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8wggGVBgNVHREEggGMMIIBiIIVbGlz
dHMubmV0d29ya3Rlc3QuY29tghNsaXN0cy5wb3RyemViaWUub3JnghFsaXN0cy5z
dWN0ZXN0LmNvbYIVbWFpbC5hdWRpb2FsY2hlbXkuY29tghBtYWlsLmN2Y2Jpa2Uu
b3JnghptYWlsLmRhdmlkcm9iZXJ0bmV3bWFuLmNvbYISbWFpbC5kcm5zdHVkaW8u
Y29tghRtYWlsLm5ldHdvcmt0ZXN0LmNvbYISbWFpbC5wb3RyemViaWUub3JnghRt
YWlsLnJob2RhbmV3bWFuLmNvbYIQbWFpbC5zdWN0ZXN0LmNvbYIbbWFpbDguZGF2
aWRyb2JlcnRuZXdtYW4uY29tghNtYWlsOC5kcm5zdHVkaW8uY29tghVtYWlsOC5u
ZXR3b3JrdGVzdC5jb22CDXBvdHJ6ZWJpZS5vcmeCD3Job2RhbmV3bWFuLmNvbYIL
c3VjdGVzdC5jb22CEXd3dy5wb3RyemViaWUub3JnghN3d3cucmhvZGFuZXdtYW4u
Y29tMIH+BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAm
BggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUF
BwICMIGeDIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBv
biBieSBSZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRo
IHRoZSBDZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5j
cnlwdC5vcmcvcmVwb3NpdG9yeS8wggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwBV
gdTCFpA2AUrqC5tXPFPwwOQ4eHAlCBcvo6odBxPTDAAAAWO7AvuFAAAEAwBIMEYC
IQCbBw/2BWR+xvgQ3WUN949WNukh7cmkDTeRqJSgg3IQJgIhAO1iZUE5p76zLUKt
Z4zrzlxXw8PB+Zm3CXSnT8QQ4FgYAHYAKTxRllTIOWW6qlD8WAfUt2+/WHopctyk
wwz05UVH9HgAAAFjuwL7bwAABAMARzBFAiBRXgaSL3v6oIDvoj+aYaNvo9O3DRG5
S8mO6DRVvmIAOAIhANQUcfkm5nZL/ljt5cf5xEI1OKwIcg8o78+eEDbfCDiBMA0G
CSqGSIb3DQEBCwUAA4IBAQBWjkVpac9UgOfvrvJ1QjT50VbMY1P9diJ1pdIoDPcH
4EuEq8T8oswQ8ONxqWgCLr6tUjFWf6k3LUIZ/iAPAIf7TzlXnljrdBbOvT/9yil5
TmFUEHZUC/ES6P8PPlFHbdh4Rs/eftI6DpL7WjKnxlkofHGvHr6mwhQ48CiSL6+T
PEU0kAeZZqQteSe6s9eIlQKs7aYATzwAyjIGKQ0GrUPHSyRljShR+3vY6hHWRqwW
t2cm28RtQKWRx3aNy3SjYxDlWPLGsU4udinpVx69IB1dbQTwSnI1X63TEi61/2t5
NrAedbouYI8e+vH5q0/dXM8k3p9WTAEjZZUOxzxvvbpd
-----END CERTIFICATE-----
subject=/CN=mail8.networktest.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4504 bytes and written 468 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:
0ACB792CC4FBE288FA99928EFED5091F9814FB55965D09D4805DBA3555405DE9
    Session-ID-ctx:
    Master-Key:
87E9DD57D5377D03140DE2867C90B784490DEEC53964486943C60A6CC58DCFB5DB9B642446B331925145D6CBA771E308
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 93 c6 c5 5c 96 10 6d 21-29 4d c2 b5 ff cc bd 6e
...\..m!)M.....n
    0010 - f8 47 c6 6a 57 dc 70 82-2b 2f 26 67 08 13 4e dd
.G.jW.p.+/&g..N.
    0020 - cf 94 0c d8 63 f9 3a 18-54 19 0c 19 bd 90 a8 7e
....c.:.T......~
    0030 - 94 01 1a 4b 1b e1 a8 da-6f 0d 9e c4 05 68 ac 0a
...K....o....h..
    0040 - d7 7a c1 60 50 60 e4 51-ff 73 d4 33 0b 8b dc 97
.z.`P`.Q.s.3....
    0050 - aa 8f 0f 52 34 54 3b 1d-8d 92 7c 32 34 58 04 aa
...R4T;...|24X..
    0060 - a3 92 eb 7b 9c a6 6b 98-ce 37 f2 67 e9 39 4a 3d
...{..k..7.g.9J=
    0070 - 28 4d 83 8b 7c 8f 48 af-0b 0a a1 67 0a cd 39 19
(M..|.H....g..9.
    0080 - 4c e2 f4 18 87 72 7d c3-5e 79 7a 2e 11 e0 2e eb
L....r}.^yz.....
    0090 - a7 bb 18 ba fe 90 18 5f-2b 2e 66 e3 84 b6 d1 81
......._+.f.....

    Start Time: 1532984690
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
250 SMTPUTF8




> 
> 
> 
> 
>> On 30 Jul 2018, at 20:53, David Newman <address@hidden> wrote:
>>
>> On 7/30/18 10:50 AM, address@hidden wrote:
>>
>>> The configuration looks fine, please can you send Monit log?
>>
>> It's just a lot of entries like this. I deliberately stopped the Mailman
>> service to try to force an email alert from Monit.
>>
>> Thanks in advance for any troubleshooting clues.
>>
>> dn
>>
>> [PDT Jul 29 16:03:50] info     : Starting Monit 5.25.2 daemon with http
>> interface at [localhost]:2812
>> [PDT Jul 29 16:03:50] info     : 'mail8.networktest.com' Monit 5.25.2
>> started
>> [PDT Jul 29 16:03:55] error    : 'mailman' service restarted 1 times
>> within 1 cycles(s) - alert
>> [PDT Jul 29 16:03:55] error    : Mail: Mailserver response error -- 530
>> 5.7.0 Must issue a STARTTLS command first
>> [PDT Jul 29 16:03:55] error    : Aborting event
>> [PDT Jul 29 16:03:55] info     : 'mailman' process is running after
>> previous restart timeout (manually recovered?)
>> [PDT Jul 29 16:03:55] error    : Mail: Mailserver response error -- 530
>> 5.7.0 Must issue a STARTTLS command first
>> [PDT Jul 29 16:03:55] error    : Aborting event
>> [PDT Jul 29 16:04:30] error    : 'mailman' process is not running
>> [PDT Jul 29 16:04:30] error    : Mail: Mailserver response error -- 530
>> 5.7.0 Must issue a STARTTLS command first
>> [PDT Jul 29 16:04:30] error    : Aborting event
>> [PDT Jul 29 16:04:30] info     : 'mailman' trying to restart
>> [PDT Jul 29 16:04:30] info     : 'mailman' start:
>> '/usr/local/etc/rc.d/mailman start'
>> [PDT Jul 29 16:05:21] error    : 'mailman' service restarted 1 times
>> within 1 cycles(s) - alert
>> [PDT Jul 29 16:05:21] error    : Mail: Mailserver response error -- 530
>> 5.7.0 Must issue a STARTTLS command first
>> [PDT Jul 29 16:05:21] error    : Aborting event
>> [PDT Jul 29 16:05:21] info     : 'mailman' process is running with pid 18239
>> [PDT Jul 29 16:05:21] error    : Mail: Mailserver response error -- 530
>> 5.7.0 Must issue a STARTTLS command first
>> [PDT Jul 29 16:05:21] error    : Aborting event
>> [PDT Jul 29 16:05:21] info     : 'mailman' process is running after
>> previous restart timeout (manually recovered?)
>> [PDT Jul 29 16:05:21] error    : Mail: Mailserver response error -- 530
>> 5.7.0 Must issue a STARTTLS command first
>> [PDT Jul 29 16:05:21] error    : Aborting event
>>
>>
>>
>>
>>
>>>
>>> Best regards,
>>> Martin
>>>
>>>
>>>> On 30 Jul 2018, at 01:16, David Newman <address@hidden> wrote:
>>>>
>>>> FreeBSD 11.2, monit-5.25.2 compiled from ports with SSL/TLS support
>>>>
>>>> What's the correct syntax for monit to use STARTTLS when sending email
>>>> alerts?
>>>>
>>>> Currently monit logs this error:
>>>>
>>>> [PDT Jul 29 16:05:21] error    : Mail: Mailserver response error -- 530
>>>> 5.7.0 Must issue a STARTTLS command first
>>>>
>>>> Using this configuration in /usr/local/etc/monitrc:
>>>>
>>>> set ssl options {
>>>>       version: auto
>>>>       verify: enable
>>>>       pemfile: /etc/ssl/certs/mail.example.com/everything.pem
>>>> }
>>>>
>>>> set mailserver mail.example.com
>>>>    port 587
>>>>       username "address@hidden"
>>>>    password="wouldnt-you-like-to-know"
>>>>       using ssl
>>>>
>>>> check process mailman with pidfile
>>>> /usr/local/mailman/data/master-qrunner.pid
>>>>       group mailman
>>>>       start program = "/usr/local/etc/rc.d/mailman start"
>>>>       stop program = "/usr/local/etc/rc.d/mailman stop"
>>>>       if 1 restarts within 1 cycles then alert
>>>>
>>>> Thanks!
>>>>
>>>> dn
>>>>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]