Re: correct STARTTLS syntax for email alerts?

monit-general
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: correct STARTTLS syntax for email alerts?

From:	address@hidden
Subject:	Re: correct STARTTLS syntax for email alerts?
Date:	Mon, 30 Jul 2018 23:39:52 +0200
Yes, the "using TLS" and "using SSL" do the same (enable encryption) ... we 
have switched to "TLS" keyword to prevent confusion as the original SSLv[23] 
protocols are no longer safe and are disabled by default. The "SSL" keyword is 
still supported for backward compatibility.

Please can you get a network trace of the communication between monit and your 
mailserver on port 587 (for example using wireshark) and send it to 
address@hidden


> On 30 Jul 2018, at 23:08, David Newman <address@hidden> wrote:
> 
> On 7/30/18 12:05 PM, address@hidden wrote:
>> Thanks for data.
>> 
>> I tried to reproduce the problem with the following configuration and it 
>> seems to work correctly:
>> 
>> set mailserver mail8.networktest.com port 587
>>        username "test" password "123456"
>>        using tls
>> 
>> I get "Mail: Mailserver response error -- 535 5.7.8 Error: authentication 
>> failed" but that is expected (i didn't use real credentials). The 
>> credentials are send by monit past the STARTTLS command and the server 
>> didn't indicate the STARTLS error.
>> 
>> Please can you verify you monit is compiled with SSL?:
>> 
>>      monit -V
> 
> Yes, it appears to be:
> 
> This is Monit version 5.25.2
> Built with ssl, with ipv6, with compression, with pam and with large files
> Copyright (C) 2001-2018 Tildeslash Ltd. All Rights Reserved.
> dh
> 
> This is on FreeBSD 11.2-RELEASE, compiled from ports.
> 
> One delta between our configs, if it matters, is that your has 'set tls'
> instead of 'set ssl' in the 'set mailserver' definition. I don't think
> that's significant, as I changed mine, restarted monit, and saw the same
> STARTTLS error as before. I also tried commenting out the 'pemfile:'
> line in the 'set ssl' definition but that also had no effect.
> 
> An openssl STARTTLS handshake works OK from this server's command line.
> Output below.
> 
> Anything else I need to check in the monit config?
> 
> Thanks
> 
> dn
> 
> 
> $ openssl s_client -connect mail8.networktest.com:587 -starttls smtp
> CONNECTED(00000003)
> depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> verify return:1
> depth=0 CN = mail8.networktest.com
> verify return:1
> ---
> Certificate chain
> 0 s:/CN=mail8.networktest.com
>   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIIjTCCB3WgAwIBAgISBN1aemqlVTdUmOJrX9BC59GGMA0GCSqGSIb3DQEBCwUA
> MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
> ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA2MDExMDAyMDRaFw0x
> ODA4MzAxMDAyMDRaMCAxHjAcBgNVBAMTFW1haWw4Lm5ldHdvcmt0ZXN0LmNvbTCC
> AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOI+gmM93ItcpEKZ34Ent14i
> Qd5rZ8bQFVJipwdxxkIgKWpUz6AJy4kaO0IIEDSquk7GTTpTFVsEcO+OVFDoE6Sg
> qo9S/oe7z1iOW6XVfoQb0PNp5yFdmTVP/fpYydxcZL34QDlP1+O1TRY0hTK6aOaq
> QkKnHrfFLiaKcLePKFcEPZgZW3aDPT3u3E38A9YFsOKaCQStZJxziV1QiaD4WlcJ
> qZWLfYSMR2DB7xMsSF+NXwItk9+fEl3yYDt3EwCXBWxE8lITUp5dq/bj03WhWpGe
> XD/e2WX0OUHClz1OH/NghnbMuBnL3jqEG/NXLKREqdDNdCfTA5krZZmNbuYx0qmR
> aosBLiteQf8XurK8wvg6jGxdrqZ0DudYPOADxRilHi27qse74OIoGJO6xxvrpzQt
> AZBvOIS6jM8MPrX1RdSE83LUqIzzAormy91Pb4gmSXvVywyoR5yqBiX3bmskzJdX
> BABsQ/vC8JYyszLpikZz4cYMfjpI15JwofaKIXeScwDR3rjXLcrmxk92J6dI3E1Y
> 0zaHaXb45ltUvT6mVqudWYNop/JAyxAcrH5pZ4TdUfeJjQDn5+H5p9EfXx8Q3eXE
> JdjRKmNIFjQvD9K3dNPi1QEkS8skv2t9LT5LydztovNvo9IpLsFBC92nFIPBpiHo
> Q/FOt/GOvEn05X4NROLLAgMBAAGjggSVMIIEkTAOBgNVHQ8BAf8EBAMCBaAwHQYD
> VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0O
> BBYEFLf08/9lmzsV+4SHI1UoJXPMnstCMB8GA1UdIwQYMBaAFKhKamMEfd265tE5
> t6ZFZe/zqOyhMG8GCCsGAQUFBwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29j
> c3AuaW50LXgzLmxldHNlbmNyeXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2Nl
> cnQuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8wggGVBgNVHREEggGMMIIBiIIVbGlz
> dHMubmV0d29ya3Rlc3QuY29tghNsaXN0cy5wb3RyemViaWUub3JnghFsaXN0cy5z
> dWN0ZXN0LmNvbYIVbWFpbC5hdWRpb2FsY2hlbXkuY29tghBtYWlsLmN2Y2Jpa2Uu
> b3JnghptYWlsLmRhdmlkcm9iZXJ0bmV3bWFuLmNvbYISbWFpbC5kcm5zdHVkaW8u
> Y29tghRtYWlsLm5ldHdvcmt0ZXN0LmNvbYISbWFpbC5wb3RyemViaWUub3JnghRt
> YWlsLnJob2RhbmV3bWFuLmNvbYIQbWFpbC5zdWN0ZXN0LmNvbYIbbWFpbDguZGF2
> aWRyb2JlcnRuZXdtYW4uY29tghNtYWlsOC5kcm5zdHVkaW8uY29tghVtYWlsOC5u
> ZXR3b3JrdGVzdC5jb22CDXBvdHJ6ZWJpZS5vcmeCD3Job2RhbmV3bWFuLmNvbYIL
> c3VjdGVzdC5jb22CEXd3dy5wb3RyemViaWUub3JnghN3d3cucmhvZGFuZXdtYW4u
> Y29tMIH+BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAm
> BggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUF
> BwICMIGeDIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBv
> biBieSBSZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRo
> IHRoZSBDZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5j
> cnlwdC5vcmcvcmVwb3NpdG9yeS8wggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwBV
> gdTCFpA2AUrqC5tXPFPwwOQ4eHAlCBcvo6odBxPTDAAAAWO7AvuFAAAEAwBIMEYC
> IQCbBw/2BWR+xvgQ3WUN949WNukh7cmkDTeRqJSgg3IQJgIhAO1iZUE5p76zLUKt
> Z4zrzlxXw8PB+Zm3CXSnT8QQ4FgYAHYAKTxRllTIOWW6qlD8WAfUt2+/WHopctyk
> wwz05UVH9HgAAAFjuwL7bwAABAMARzBFAiBRXgaSL3v6oIDvoj+aYaNvo9O3DRG5
> S8mO6DRVvmIAOAIhANQUcfkm5nZL/ljt5cf5xEI1OKwIcg8o78+eEDbfCDiBMA0G
> CSqGSIb3DQEBCwUAA4IBAQBWjkVpac9UgOfvrvJ1QjT50VbMY1P9diJ1pdIoDPcH
> 4EuEq8T8oswQ8ONxqWgCLr6tUjFWf6k3LUIZ/iAPAIf7TzlXnljrdBbOvT/9yil5
> TmFUEHZUC/ES6P8PPlFHbdh4Rs/eftI6DpL7WjKnxlkofHGvHr6mwhQ48CiSL6+T
> PEU0kAeZZqQteSe6s9eIlQKs7aYATzwAyjIGKQ0GrUPHSyRljShR+3vY6hHWRqwW
> t2cm28RtQKWRx3aNy3SjYxDlWPLGsU4udinpVx69IB1dbQTwSnI1X63TEi61/2t5
> NrAedbouYI8e+vH5q0/dXM8k3p9WTAEjZZUOxzxvvbpd
> -----END CERTIFICATE-----
> subject=/CN=mail8.networktest.com
> issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> ---
> No client certificate CA names sent
> Peer signing digest: SHA512
> Server Temp Key: ECDH, P-256, 256 bits
> ---
> SSL handshake has read 4504 bytes and written 468 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 4096 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
>    Protocol  : TLSv1.2
>    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>    Session-ID:
> 0ACB792CC4FBE288FA99928EFED5091F9814FB55965D09D4805DBA3555405DE9
>    Session-ID-ctx:
>    Master-Key:
> 87E9DD57D5377D03140DE2867C90B784490DEEC53964486943C60A6CC58DCFB5DB9B642446B331925145D6CBA771E308
>    Key-Arg   : None
>    PSK identity: None
>    PSK identity hint: None
>    SRP username: None
>    TLS session ticket lifetime hint: 7200 (seconds)
>    TLS session ticket:
>    0000 - 93 c6 c5 5c 96 10 6d 21-29 4d c2 b5 ff cc bd 6e
> ...\..m!)M.....n
>    0010 - f8 47 c6 6a 57 dc 70 82-2b 2f 26 67 08 13 4e dd
> .G.jW.p.+/&g..N.
>    0020 - cf 94 0c d8 63 f9 3a 18-54 19 0c 19 bd 90 a8 7e
> ....c.:.T......~
>    0030 - 94 01 1a 4b 1b e1 a8 da-6f 0d 9e c4 05 68 ac 0a
> ...K....o....h..
>    0040 - d7 7a c1 60 50 60 e4 51-ff 73 d4 33 0b 8b dc 97
> .z.`P`.Q.s.3....
>    0050 - aa 8f 0f 52 34 54 3b 1d-8d 92 7c 32 34 58 04 aa
> ...R4T;...|24X..
>    0060 - a3 92 eb 7b 9c a6 6b 98-ce 37 f2 67 e9 39 4a 3d
> ...{..k..7.g.9J=
>    0070 - 28 4d 83 8b 7c 8f 48 af-0b 0a a1 67 0a cd 39 19
> (M..|.H....g..9.
>    0080 - 4c e2 f4 18 87 72 7d c3-5e 79 7a 2e 11 e0 2e eb
> L....r}.^yz.....
>    0090 - a7 bb 18 ba fe 90 18 5f-2b 2e 66 e3 84 b6 d1 81
> ......._+.f.....
> 
>    Start Time: 1532984690
>    Timeout   : 300 (sec)
>    Verify return code: 0 (ok)
> ---
> 250 SMTPUTF8
> 
> 
> 
> 
>> 
>> 
>> 
>> 
>>> On 30 Jul 2018, at 20:53, David Newman <address@hidden> wrote:
>>> 
>>> On 7/30/18 10:50 AM, address@hidden wrote:
>>> 
>>>> The configuration looks fine, please can you send Monit log?
>>> 
>>> It's just a lot of entries like this. I deliberately stopped the Mailman
>>> service to try to force an email alert from Monit.
>>> 
>>> Thanks in advance for any troubleshooting clues.
>>> 
>>> dn
>>> 
>>> [PDT Jul 29 16:03:50] info     : Starting Monit 5.25.2 daemon with http
>>> interface at [localhost]:2812
>>> [PDT Jul 29 16:03:50] info     : 'mail8.networktest.com' Monit 5.25.2
>>> started
>>> [PDT Jul 29 16:03:55] error    : 'mailman' service restarted 1 times
>>> within 1 cycles(s) - alert
>>> [PDT Jul 29 16:03:55] error    : Mail: Mailserver response error -- 530
>>> 5.7.0 Must issue a STARTTLS command first
>>> [PDT Jul 29 16:03:55] error    : Aborting event
>>> [PDT Jul 29 16:03:55] info     : 'mailman' process is running after
>>> previous restart timeout (manually recovered?)
>>> [PDT Jul 29 16:03:55] error    : Mail: Mailserver response error -- 530
>>> 5.7.0 Must issue a STARTTLS command first
>>> [PDT Jul 29 16:03:55] error    : Aborting event
>>> [PDT Jul 29 16:04:30] error    : 'mailman' process is not running
>>> [PDT Jul 29 16:04:30] error    : Mail: Mailserver response error -- 530
>>> 5.7.0 Must issue a STARTTLS command first
>>> [PDT Jul 29 16:04:30] error    : Aborting event
>>> [PDT Jul 29 16:04:30] info     : 'mailman' trying to restart
>>> [PDT Jul 29 16:04:30] info     : 'mailman' start:
>>> '/usr/local/etc/rc.d/mailman start'
>>> [PDT Jul 29 16:05:21] error    : 'mailman' service restarted 1 times
>>> within 1 cycles(s) - alert
>>> [PDT Jul 29 16:05:21] error    : Mail: Mailserver response error -- 530
>>> 5.7.0 Must issue a STARTTLS command first
>>> [PDT Jul 29 16:05:21] error    : Aborting event
>>> [PDT Jul 29 16:05:21] info     : 'mailman' process is running with pid 18239
>>> [PDT Jul 29 16:05:21] error    : Mail: Mailserver response error -- 530
>>> 5.7.0 Must issue a STARTTLS command first
>>> [PDT Jul 29 16:05:21] error    : Aborting event
>>> [PDT Jul 29 16:05:21] info     : 'mailman' process is running after
>>> previous restart timeout (manually recovered?)
>>> [PDT Jul 29 16:05:21] error    : Mail: Mailserver response error -- 530
>>> 5.7.0 Must issue a STARTTLS command first
>>> [PDT Jul 29 16:05:21] error    : Aborting event
>>> 
>>> 
>>> 
>>> 
>>> 
>>>> 
>>>> Best regards,
>>>> Martin
>>>> 
>>>> 
>>>>> On 30 Jul 2018, at 01:16, David Newman <address@hidden> wrote:
>>>>> 
>>>>> FreeBSD 11.2, monit-5.25.2 compiled from ports with SSL/TLS support
>>>>> 
>>>>> What's the correct syntax for monit to use STARTTLS when sending email
>>>>> alerts?
>>>>> 
>>>>> Currently monit logs this error:
>>>>> 
>>>>> [PDT Jul 29 16:05:21] error    : Mail: Mailserver response error -- 530
>>>>> 5.7.0 Must issue a STARTTLS command first
>>>>> 
>>>>> Using this configuration in /usr/local/etc/monitrc:
>>>>> 
>>>>> set ssl options {
>>>>>      version: auto
>>>>>      verify: enable
>>>>>      pemfile: /etc/ssl/certs/mail.example.com/everything.pem
>>>>> }
>>>>> 
>>>>> set mailserver mail.example.com
>>>>>   port 587
>>>>>      username "address@hidden"
>>>>>   password="wouldnt-you-like-to-know"
>>>>>      using ssl
>>>>> 
>>>>> check process mailman with pidfile
>>>>> /usr/local/mailman/data/master-qrunner.pid
>>>>>      group mailman
>>>>>      start program = "/usr/local/etc/rc.d/mailman start"
>>>>>      stop program = "/usr/local/etc/rc.d/mailman stop"
>>>>>      if 1 restarts within 1 cycles then alert
>>>>> 
>>>>> Thanks!
>>>>> 
>>>>> dn
>>>>> 
> 
> -- 
> To unsubscribe:
> https://lists.nongnu.org/mailman/listinfo/monit-general
[Prev in Thread]
Current Thread
[Next in Thread]
correct STARTTLS syntax for email alerts?, David Newman, 2018/07/29
- Re: correct STARTTLS syntax for email alerts?, address@hidden, 2018/07/30
  - Re: correct STARTTLS syntax for email alerts?, David Newman, 2018/07/30
    - Re: correct STARTTLS syntax for email alerts?, address@hidden, 2018/07/30
    - Re: correct STARTTLS syntax for email alerts?, David Newman, 2018/07/30
    - Re: correct STARTTLS syntax for email alerts?, address@hidden <=
Prev by Date: Re: correct STARTTLS syntax for email alerts?
Next by Date: RE: "check now" command
Previous by thread: Re: correct STARTTLS syntax for email alerts?
Next by thread: "check now" command
Index(es):
- Date
- Thread