check_smtp plugin fails to properly detect availability of STARTTLS

[smooge]

The following was opened in the Red Hat Bugzilla for nagios-plugins-2.2.1

https://bugzilla.redhat.com/show_bug.cgi?id=1662677

Josh Malone 2018-12-31 14:08:48 UTC
Description of problem:

The latest check_smtp plugin version fails to properly detect availability of STARTTLS on the server and reports a false error for the service. Proper TLS configuration of my servers has been verified by clients and testssl.sh

Version-Release number of selected component (if applicable):

nagios-plugins-smtp-2.2.1-15.20180725git3429dad.el7.x86_64

How reproducible:

Every time

Steps to Reproduce:

1. Properly configure an SMTP server to support starttls
2. Execute a check of the service using the -S and -D options to check TLS:
   check_smtp -H 192.33.115.33 -S -D 30
3. Observe the warning that TLS is not supported (when it, in fact, is)

Actual results:

[root@sysmon ~]# /usr/lib64/nagios/plugins/check_smtp -H 192.33.115.33 -S -D 30 -v
HELOCMD: EHLO sysmon
Sending header PROXY TCP4 0.0.0.0 0.0.0.0 25 25

220 corvus.cv.nrao.edu ESMTP Sendmail 8.14.4/8.14.4; Mon, 31 Dec 2018 08:31:44 -0500
WARNING - TLS not supported by server
sent QUIT
received 250-corvus.cv.nrao.edu Hello nagios.cv.nrao.edu [10.2.96.126], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-STARTTLS
250-DELIVERBY
250 HELP

Expected results:

[root@sysmon ~]# /usr/local/nagios/plugins/check_smtp -H 192.33.115.33 -S -D 30 -v
HELOCMD: EHLO sysmon
220 corvus.cv.nrao.edu ESMTP Sendmail 8.14.4/8.14.4; Mon, 31 Dec 2018 09:04:08 -0500
sent EHLO sysmon
250-corvus.cv.nrao.edu Hello nagios.cv.nrao.edu [10.2.96.126], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-DELIVERBY
250 HELP
SSL OK - Certificate '*.cv.nrao.edu' will expire on 2019-04-26 19:59 -0400/EDT. sent QUIT
received 221 2.0.0 corvus.cv.nrao.edu closing connection

Additional info:

Compiling check_smtp from the current nagios-plugins 2.2.1 from upstream vendor (https://www.nagios.org/downloads/nagios-plugins/) does not exhibit this issue.

[tag] [reply] [−] Private Comment 1 Klaus Tachtler 2019-01-01 16:50:04 UTC
Same issue with the nagios-plugins-smtp-2.2.1-15.20180725git3429dad.el7.x86_64

/usr/lib64/nagios/plugins/check_smtp -S -H 127.0.0.1 -p 25 -D 21 -v

HELOCMD: EHLO server110
Sending header PROXY TCP4 0.0.0.0 0.0.0.0 25 25

220 vml70110.idmz.tachtler.net ESMTP Postfix
WARNING - TLS not supported by server
sent QUIT
received 250-server110
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

/usr/lib64/nagios/plugins/check_smtp does NOT detect the EHLO answer 250-STARTTLS correctly.

[adpe]

There's already a patch on the way https://bodhi.fedoraproject.org/updates/nagios-plugins-2.2.1-16.20180725git3429dad.el7.

[sawolf]

Compiling check_smtp from the current nagios-plugins 2.2.1 from upstream vendor (https://www.nagios.org/downloads/nagios-plugins/) does not exhibit this issue.

In that case, I don't think the issue pertains to this repo. If you have reproduced this by compiling from this repo, please let me know and I'll re-open the issue.