3

I'm trying to use this command to check on port 587 for my postfix server.

Using nmap -P0 mail.server.com I see this:

Starting Nmap 5.51 ( http://nmap.org ) at 2013-11-04 05:01 PST
Nmap scan report for mail.server.com (xx.xx.xx.xx)
Host is up (0.0016s latency).
rDNS record for xx.xx.xx.xx: another.server.com
Not shown: 990 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
110/tcp  open  pop3
111/tcp  open  rpcbind
143/tcp  open  imap
465/tcp  open  smtps
587/tcp  open  submission
993/tcp  open  imaps
995/tcp  open  pop3s
5666/tcp open  nrpe

So I know the relevant ports for smtps (465 or 587) are open.

When I use openssl s_client -connect mail.server.com:587 -starttls smtp I get a connection with all the various SSL info. (Same for port 465).

But when I try libexec/check_ssmtp -H mail.server.com -p587 I get:

CRITICAL - Cannot make SSL connection.
140200102082408:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:699:

What am I doing wrong?

ethrbunny
  • 2,327
  • 4
  • 36
  • 72
  • 1
    The answer below is very good. I'd just like to clarify that the protocols your server is using on ports 465 and 587 are very different. 465 is SMTPS (or SSMTP), which is SSL-encrypted SMTP. 587 (AKA submission) begins as a plain-text converstaion, but then switches to TLS for encryption during the transaction. (This can also occur on port 25, though.) – Keith Nov 04 '13 at 18:45

1 Answers1

5

You need to use the -S flag with the check_smtp command, as MadHatter correctly states, the check_ssmtp plugin is for SSL enabled SMTP only.

MadHatter adds (with NickW's kind permission):

This is from tcpdump -n -n -X host www.teaparty.net on my NAGIOS server, whilst at the same time running /usr/lib64/nagios/plugins/check_smtp -H www.teaparty.net -p 25 -S. You'll note that TLS is clearly requested and initiated (I have cut out all the tedious certificate exchange that happened immediately afterwards).

14:28:37.434337 IP 78.31.111.49.33974 > 178.18.123.145.25: Flags [P.], seq 27:37, ack 276, win 123, options [nop,nop,TS val 890100881 ecr 1034540785], length 10
    0x0000:  4500 003e e415 4000 4006 6bb0 4e1f 6f31  E..>..@.@.k.N.o1
    0x0010:  b212 7b91 84b6 0019 b7e2 38ba ce7c 896e  ..{.......8..|.n
    0x0020:  8018 007b eb24 0000 0101 080a 350d dc91  ...{.$......5...
    0x0030:  3da9 d6f1 5354 4152 5454 4c53 0d0a       =...STARTTLS..
14:28:37.438207 IP 178.18.123.145.25 > 78.31.111.49.33974: Flags [P.], seq 276:306, ack 37, win 114, options [nop,nop,TS val 1034540789 ecr 890100881], length 30
    0x0000:  4500 0052 5e89 4000 3906 f828 b212 7b91  E..R^.@.9..(..{.
    0x0010:  4e1f 6f31 0019 84b6 ce7c 896e b7e2 38c4  N.o1.....|.n..8.
    0x0020:  8018 0072 806e 0000 0101 080a 3da9 d6f5  ...r.n......=...
    0x0030:  350d dc91 3232 3020 322e 302e 3020 5265  5...220.2.0.0.Re
    0x0040:  6164 7920 746f 2073 7461 7274 2054 4c53  ady.to.start.TLS
    0x0050:  0d0a                                     ..
MadHatter
  • 78,442
  • 20
  • 178
  • 229
NickW
  • 10,183
  • 1
  • 18
  • 26
  • I suspect that won't help: `-S` does SSL, which is no help, not TLS, as he needs :( – MadHatter Nov 04 '13 at 13:49
  • Maybe not, I haven't seen anything in the man pages saying it's a default, in fact, most usage examples I see make explicit use of it. For example: http://www.claudiokuenzler.com/blog/296/check-monitor-smtp-server-for-tls-ssl-connection – NickW Nov 04 '13 at 14:09
  • It does seem to be a default *when the plugin is invoked through its alternative name of `check_ssmtp`*. Moreover, I tested it both with and without the flag, and the error (`Cannot make SSL connection`) is the same in both cases. – MadHatter Nov 04 '13 at 14:12
  • Hey, you're right, he should be using check_smtp -S :) – NickW Nov 04 '13 at 14:14
  • NickW is right! *That* does TLS (I confirmed it with `tcpdump`). If you'll forgive me, I'll edit the evidence into your answer. – MadHatter Nov 04 '13 at 14:24
  • That will teach me to skim over man pages :) You're welcome to edit whatever you need to. – NickW Nov 04 '13 at 14:28
  • So `check_ssmtp` is supposed to be `check_smtp -S` - but actually isn't? – ethrbunny Nov 04 '13 at 15:15
  • Not as far as I can tell, they're actually two separate commands, check_ssmtp is just SSL, check_smtp is normal and TLS (starttls I assume) – NickW Nov 04 '13 at 15:22