check_smtp: certificate check is no longer opt-in

This is a breaking change. Testing whether a TLS certificate is still valid (expiration wise) is now the default in check_smtp. The reasoning is, that in most scenarios an expired certificate will effectively mean that the service is not working anymore due to the refusal of other software to talk to it. There is a new cli parameter though to explicitly ignore that.
author: Lorenz Kästle <12514511+RincewindsHat@users.noreply.github.com> 2025-11-09 11:46:36 +0100
committer: Lorenz Kästle <12514511+RincewindsHat@users.noreply.github.com> 2025-11-09 11:46:36 +0100
commit: bc2720abddf8e379c4e1f23ed25f7702ef29ad08 (patch)
tree: 71658ad4c291b2eec4779f2367ab0b65744b60d3 /plugins/check_smtp.c
parent: 62035adf6c8199eba54755f23e8affe97e645300 (diff)
download: monitoring-plugins-bc2720abddf8e379c4e1f23ed25f7702ef29ad08.tar.gz
1 files changed, 50 insertions, 38 deletions
diff --git a/plugins/check_smtp.c b/plugins/check_smtp.c
index cb92421c..e806ad29 100644
--- a/plugins/check_smtp.c
+++ b/plugins/check_smtp.c
@@ -37,6 +37,7 @@
 #include "base64.h"
 #include "regex.h"
+#include <bits/getopt_ext.h>
 #include <ctype.h>
 #include <string.h>
 #include "check_smtp.d/config.h"
@@ -347,9 +348,19 @@ int main(int argc, char **argv) {
                switch (cert_check_result.errors) {
                case ALL_OK: {
-                        xasprintf(&sc_cert_check.output, "Certificate expiration. Remaining time %g days",
-                                          cert_check_result.remaining_seconds / 86400);
+                        if (cert_check_result.result_state != STATE_OK &&
-                        sc_cert_check = mp_set_subcheck_state(sc_cert_check, cert_check_result.result_state);
+                                config.ignore_certificate_expiration) {
+                                xasprintf(&sc_cert_check.output,
+                                                  "Remaining certificate lifetime: %d days. Expiration will be ignored",
+                                                  (int)(cert_check_result.remaining_seconds / 86400));
+                                sc_cert_check = mp_set_subcheck_state(sc_cert_check, STATE_OK);
+                        } else {
+                                xasprintf(&sc_cert_check.output, "Remaining certificate lifetime: %d days",
+                                                  (int)(cert_check_result.remaining_seconds / 86400));
+                                sc_cert_check =
+                                        mp_set_subcheck_state(sc_cert_check, cert_check_result.result_state);
+                        }
                } break;
                case NO_SERVER_CERTIFICATE_PRESENT: {
                        xasprintf(&sc_cert_check.output, "no server certificate present");
@@ -366,12 +377,6 @@ int main(int argc, char **argv) {
                };
                mp_add_subcheck_to_check(&overall, sc_cert_check);
-                if (config.check_cert) {
-                        smtp_quit(config, buffer, socket_descriptor, ssl_established);
-                        my_close(socket_descriptor);
-                        mp_exit(overall);
-                }
        }
 #       endif /* USE_OPENSSL */
@@ -584,37 +589,40 @@ check_smtp_config_wrapper process_arguments(int argc, char **argv) {
        enum {
                SNI_OPTION = CHAR_MAX + 1,
                output_format_index,
+                ignore_certificate_expiration_index,
        };
        int option = 0;
-        static struct option longopts[] = {{"hostname", required_argument, 0, 'H'},
+        static struct option longopts[] = {
-                                                                           {"expect", required_argument, 0, 'e'},
+                {"hostname", required_argument, 0, 'H'},
-                                                                           {"critical", required_argument, 0, 'c'},
+                {"expect", required_argument, 0, 'e'},
-                                                                           {"warning", required_argument, 0, 'w'},
+                {"critical", required_argument, 0, 'c'},
-                                                                           {"timeout", required_argument, 0, 't'},
+                {"warning", required_argument, 0, 'w'},
-                                                                           {"port", required_argument, 0, 'p'},
+                {"timeout", required_argument, 0, 't'},
-                                                                           {"from", required_argument, 0, 'f'},
+                {"port", required_argument, 0, 'p'},
-                                                                           {"fqdn", required_argument, 0, 'F'},
+                {"from", required_argument, 0, 'f'},
-                                                                           {"authtype", required_argument, 0, 'A'},
+                {"fqdn", required_argument, 0, 'F'},
-                                                                           {"authuser", required_argument, 0, 'U'},
+                {"authtype", required_argument, 0, 'A'},
-                                                                           {"authpass", required_argument, 0, 'P'},
+                {"authuser", required_argument, 0, 'U'},
-                                                                           {"command", required_argument, 0, 'C'},
+                {"authpass", required_argument, 0, 'P'},
-                                                                           {"response", required_argument, 0, 'R'},
+                {"command", required_argument, 0, 'C'},
-                                                                           {"verbose", no_argument, 0, 'v'},
+                {"response", required_argument, 0, 'R'},
-                                                                           {"version", no_argument, 0, 'V'},
+                {"verbose", no_argument, 0, 'v'},
-                                                                           {"use-ipv4", no_argument, 0, '4'},
+                {"version", no_argument, 0, 'V'},
-                                                                           {"use-ipv6", no_argument, 0, '6'},
+                {"use-ipv4", no_argument, 0, '4'},
-                                                                           {"help", no_argument, 0, 'h'},
+                {"use-ipv6", no_argument, 0, '6'},
-                                                                           {"lmtp", no_argument, 0, 'L'},
+                {"help", no_argument, 0, 'h'},
-                                                                           {"ssl", no_argument, 0, 's'},
+                {"lmtp", no_argument, 0, 'L'},
-                                                                           {"tls", no_argument, 0, 's'},
+                {"ssl", no_argument, 0, 's'},
-                                                                           {"starttls", no_argument, 0, 'S'},
+                {"tls", no_argument, 0, 's'},
-                                                                           {"sni", no_argument, 0, SNI_OPTION},
+                {"starttls", no_argument, 0, 'S'},
-                                                                           {"certificate", required_argument, 0, 'D'},
+                {"sni", no_argument, 0, SNI_OPTION},
-                                                                           {"ignore-quit-failure", no_argument, 0, 'q'},
+                {"certificate", required_argument, 0, 'D'},
-                                                                           {"proxy", no_argument, 0, 'r'},
+                {"ignore-quit-failure", no_argument, 0, 'q'},
-                                                                           {"output-format", required_argument, 0, output_format_index},
+                {"proxy", no_argument, 0, 'r'},
-                                                                           {0, 0, 0, 0}};
+                {"ignore-certificate-expiration", no_argument, 0, ignore_certificate_expiration_index},
+                {"output-format", required_argument, 0, output_format_index},
+                {0, 0, 0, 0}};
        check_smtp_config_wrapper result = {
                .config = check_smtp_config_init(),
@@ -766,7 +774,6 @@ check_smtp_config_wrapper process_arguments(int argc, char **argv) {
                                }
                                result.config.days_till_exp_warn = atoi(optarg);
                        }
-                        result.config.check_cert = true;
                        result.config.ignore_send_quit_failure = true;
 #else
                        usage(_("SSL support not available - install OpenSSL and recompile"));
@@ -827,6 +834,9 @@ check_smtp_config_wrapper process_arguments(int argc, char **argv) {
                        result.config.output_format = parser.output_format;
                        break;
                }
+                case ignore_certificate_expiration_index: {
+                        result.config.ignore_certificate_expiration = true;
+                }
                }
        }
@@ -1028,6 +1038,8 @@ void print_help(void) {
        printf("    %s\n", _("Send LHLO instead of HELO/EHLO"));
        printf(" %s\n", "-q, --ignore-quit-failure");
        printf("    %s\n", _("Ignore failure when sending QUIT command to server"));
+        printf(" %s\n", "--ignore-certificate-expiration");
+        printf("    %s\n", _("Ignore certificate expiration"));
        printf(UT_WARN_CRIT);
author	Lorenz Kästle <12514511+RincewindsHat@users.noreply.github.com>	2025-11-09 11:46:36 +0100
committer	Lorenz Kästle <12514511+RincewindsHat@users.noreply.github.com>	2025-11-09 11:46:36 +0100
commit	bc2720abddf8e379c4e1f23ed25f7702ef29ad08 (patch)
tree	71658ad4c291b2eec4779f2367ab0b65744b60d3 /plugins/check_smtp.c
parent	62035adf6c8199eba54755f23e8affe97e645300 (diff)
download	monitoring-plugins-bc2720abddf8e379c4e1f23ed25f7702ef29ad08.tar.gz

diff --git a/plugins/check_smtp.c b/plugins/check_smtp.c index cb92421c..e806ad29 100644 --- a/plugins/check_smtp.c +++ b/plugins/check_smtp.c
@@ -37,6 +37,7 @@
37	#include "base64.h"	37	#include "base64.h"
38	#include "regex.h"	38	#include "regex.h"
39		39
		40	#include <bits/getopt_ext.h>
40	#include <ctype.h>	41	#include <ctype.h>
41	#include <string.h>	42	#include <string.h>
42	#include "check_smtp.d/config.h"	43	#include "check_smtp.d/config.h"
@@ -347,9 +348,19 @@ int main(int argc, char **argv) {
347		348
348	switch (cert_check_result.errors) {	349	switch (cert_check_result.errors) {
349	case ALL_OK: {	350	case ALL_OK: {
350	xasprintf(&sc_cert_check.output, "Certificate expiration. Remaining time %g days",	351
351	cert_check_result.remaining_seconds / 86400);	352	if (cert_check_result.result_state != STATE_OK &&
352	sc_cert_check = mp_set_subcheck_state(sc_cert_check, cert_check_result.result_state);	353	config.ignore_certificate_expiration) {
		354	xasprintf(&sc_cert_check.output,
		355	"Remaining certificate lifetime: %d days. Expiration will be ignored",
		356	(int)(cert_check_result.remaining_seconds / 86400));
		357	sc_cert_check = mp_set_subcheck_state(sc_cert_check, STATE_OK);
		358	} else {
		359	xasprintf(&sc_cert_check.output, "Remaining certificate lifetime: %d days",
		360	(int)(cert_check_result.remaining_seconds / 86400));
		361	sc_cert_check =
		362	mp_set_subcheck_state(sc_cert_check, cert_check_result.result_state);
		363	}
353	} break;	364	} break;
354	case NO_SERVER_CERTIFICATE_PRESENT: {	365	case NO_SERVER_CERTIFICATE_PRESENT: {
355	xasprintf(&sc_cert_check.output, "no server certificate present");	366	xasprintf(&sc_cert_check.output, "no server certificate present");
@@ -366,12 +377,6 @@ int main(int argc, char **argv) {
366	};	377	};
367		378
368	mp_add_subcheck_to_check(&overall, sc_cert_check);	379	mp_add_subcheck_to_check(&overall, sc_cert_check);
369
370	if (config.check_cert) {
371	smtp_quit(config, buffer, socket_descriptor, ssl_established);
372	my_close(socket_descriptor);
373	mp_exit(overall);
374	}
375	}	380	}
376	# endif /* USE_OPENSSL */	381	# endif /* USE_OPENSSL */
377		382
@@ -584,37 +589,40 @@ check_smtp_config_wrapper process_arguments(int argc, char **argv) {
584	enum {	589	enum {
585	SNI_OPTION = CHAR_MAX + 1,	590	SNI_OPTION = CHAR_MAX + 1,
586	output_format_index,	591	output_format_index,
		592	ignore_certificate_expiration_index,
587	};	593	};
588		594
589	int option = 0;	595	int option = 0;
590	static struct option longopts[] = {{"hostname", required_argument, 0, 'H'},	596	static struct option longopts[] = {
591	{"expect", required_argument, 0, 'e'},	597	{"hostname", required_argument, 0, 'H'},
592	{"critical", required_argument, 0, 'c'},	598	{"expect", required_argument, 0, 'e'},
593	{"warning", required_argument, 0, 'w'},	599	{"critical", required_argument, 0, 'c'},
594	{"timeout", required_argument, 0, 't'},	600	{"warning", required_argument, 0, 'w'},
595	{"port", required_argument, 0, 'p'},	601	{"timeout", required_argument, 0, 't'},
596	{"from", required_argument, 0, 'f'},	602	{"port", required_argument, 0, 'p'},
597	{"fqdn", required_argument, 0, 'F'},	603	{"from", required_argument, 0, 'f'},
598	{"authtype", required_argument, 0, 'A'},	604	{"fqdn", required_argument, 0, 'F'},
599	{"authuser", required_argument, 0, 'U'},	605	{"authtype", required_argument, 0, 'A'},
600	{"authpass", required_argument, 0, 'P'},	606	{"authuser", required_argument, 0, 'U'},
601	{"command", required_argument, 0, 'C'},	607	{"authpass", required_argument, 0, 'P'},
602	{"response", required_argument, 0, 'R'},	608	{"command", required_argument, 0, 'C'},
603	{"verbose", no_argument, 0, 'v'},	609	{"response", required_argument, 0, 'R'},
604	{"version", no_argument, 0, 'V'},	610	{"verbose", no_argument, 0, 'v'},
605	{"use-ipv4", no_argument, 0, '4'},	611	{"version", no_argument, 0, 'V'},
606	{"use-ipv6", no_argument, 0, '6'},	612	{"use-ipv4", no_argument, 0, '4'},
607	{"help", no_argument, 0, 'h'},	613	{"use-ipv6", no_argument, 0, '6'},
608	{"lmtp", no_argument, 0, 'L'},	614	{"help", no_argument, 0, 'h'},
609	{"ssl", no_argument, 0, 's'},	615	{"lmtp", no_argument, 0, 'L'},
610	{"tls", no_argument, 0, 's'},	616	{"ssl", no_argument, 0, 's'},
611	{"starttls", no_argument, 0, 'S'},	617	{"tls", no_argument, 0, 's'},
612	{"sni", no_argument, 0, SNI_OPTION},	618	{"starttls", no_argument, 0, 'S'},
613	{"certificate", required_argument, 0, 'D'},	619	{"sni", no_argument, 0, SNI_OPTION},
614	{"ignore-quit-failure", no_argument, 0, 'q'},	620	{"certificate", required_argument, 0, 'D'},
615	{"proxy", no_argument, 0, 'r'},	621	{"ignore-quit-failure", no_argument, 0, 'q'},
616	{"output-format", required_argument, 0, output_format_index},	622	{"proxy", no_argument, 0, 'r'},
617	{0, 0, 0, 0}};	623	{"ignore-certificate-expiration", no_argument, 0, ignore_certificate_expiration_index},
		624	{"output-format", required_argument, 0, output_format_index},
		625	{0, 0, 0, 0}};
618		626
619	check_smtp_config_wrapper result = {	627	check_smtp_config_wrapper result = {
620	.config = check_smtp_config_init(),	628	.config = check_smtp_config_init(),
@@ -766,7 +774,6 @@ check_smtp_config_wrapper process_arguments(int argc, char **argv) {
766	}	774	}
767	result.config.days_till_exp_warn = atoi(optarg);	775	result.config.days_till_exp_warn = atoi(optarg);
768	}	776	}
769	result.config.check_cert = true;
770	result.config.ignore_send_quit_failure = true;	777	result.config.ignore_send_quit_failure = true;
771	#else	778	#else
772	usage(_("SSL support not available - install OpenSSL and recompile"));	779	usage(_("SSL support not available - install OpenSSL and recompile"));
@@ -827,6 +834,9 @@ check_smtp_config_wrapper process_arguments(int argc, char **argv) {
827	result.config.output_format = parser.output_format;	834	result.config.output_format = parser.output_format;
828	break;	835	break;
829	}	836	}
		837	case ignore_certificate_expiration_index: {
		838	result.config.ignore_certificate_expiration = true;
		839	}
830	}	840	}
831	}	841	}
832		842
@@ -1028,6 +1038,8 @@ void print_help(void) {
1028	printf(" %s\n", _("Send LHLO instead of HELO/EHLO"));	1038	printf(" %s\n", _("Send LHLO instead of HELO/EHLO"));
1029	printf(" %s\n", "-q, --ignore-quit-failure");	1039	printf(" %s\n", "-q, --ignore-quit-failure");
1030	printf(" %s\n", _("Ignore failure when sending QUIT command to server"));	1040	printf(" %s\n", _("Ignore failure when sending QUIT command to server"));
		1041	printf(" %s\n", "--ignore-certificate-expiration");
		1042	printf(" %s\n", _("Ignore certificate expiration"));
1031		1043
1032	printf(UT_WARN_CRIT);	1044	printf(UT_WARN_CRIT);
1033		1045