check_smtp shows OK also response is 530 5.7.57 SMTP

[blindzero]

Goal
I want to monitor that SMTP server is not accepting unauthenticated.
I use -f someaddress@ourdomain.com for this.

Current Behaviour
The output seems fine and as expected:

root@host:/usr/lib/nagios/plugins# ./check_smtp -H mailserver -v -p 465 -S -f someaddress@ourdomain.com
HELOCMD: EHLO host
FROM CMD: MAIL FROM:<it@someaddress@ourdomain.com>
sent EHLO host
250-mailserver.ourdomain.com Hello [192.168.xxx.yyy]
250-SIZE 104857600
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-AUTH GSSAPI NTLM LOGIN
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250-XRDST
250 XSHADOWREQUEST
250-mailserver.ourdomain.com Hello [192.168.xxx.yyy]
250-SIZE 104857600
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-AUTH GSSAPI NTLM LOGIN
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250-XRDST
250 XSHADOWREQUEST
530 5.7.57 SMTP; Client was not authenticated to send anonymous mail during MAIL FROM
sent QUIT

Unfortunately check_smtp returns OK then in the next line. (The quit-problem can also not be avoided by adding -q).

recv() failed after QUIT.SMTP OK - 5.010 sec. response time, 530 5.7.57 SMTP; Client was not authenticated to send anonymous mail during MAIL FROM
|time=5.010097s;;;0.000000

Expected Behaviour
I would expect CRITICAL here as error 530 is received. RFC 5321 defines this as permanent negative response.

[MEschenbacher]

Reading through the code, it does not look like as if the response to -f or -C is checked at all, however I believe with a combination of -C and -R (which checks the response and also takes regex) you might get the behaviour you like e.g.:

/usr/lib/nagios/plugins# ./check_smtp -H mailserver -v -p 465 -S -C "MAIL FROM:<someaddress@ourdomain.com>" -R "^5" -C "RCPT TO:<foo@bar>" -R "^5"