From ead5526efa4f713e8001baed409067b0474cb72d Mon Sep 17 00:00:00 2001
From: Franz Schwartau <franz@electromail.org>
Date: Mon, 21 Aug 2023 16:53:48 +0200
Subject: Add support for SMTP over TLS

This is commonly used on smtps (465) port.

PROXY protocol is not implemented with TLS in check_smtp.c, yet.

Backported from nagios-plugins:
https://github.com/nagios-plugins/nagios-plugins/commit/0a8cf08ebb0740aa55d6c60d3b79fcab282604fb

diff --git a/plugins/check_smtp.c b/plugins/check_smtp.c
index 996bd87..f3ba9e3 100644
--- a/plugins/check_smtp.c
+++ b/plugins/check_smtp.c
@@ -42,8 +42,8 @@ const char *email = "devel@monitoring-plugins.org";
 #ifdef HAVE_SSL
 int check_cert = FALSE;
 int days_till_exp_warn, days_till_exp_crit;
-#  define my_recv(buf, len) ((use_ssl && ssl_established) ? np_net_ssl_read(buf, len) : read(sd, buf, len))
-#  define my_send(buf, len) ((use_ssl && ssl_established) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0))
+#  define my_recv(buf, len) (((use_starttls || use_ssl) && ssl_established) ? np_net_ssl_read(buf, len) : read(sd, buf, len))
+#  define my_send(buf, len) (((use_starttls || use_ssl) && ssl_established) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0))
 #else /* ifndef HAVE_SSL */
 #  define my_recv(buf, len) read(sd, buf, len)
 #  define my_send(buf, len) send(sd, buf, len, 0)
@@ -103,6 +103,7 @@ double critical_time = 0;
 int check_critical_time = FALSE;
 int verbose = 0;
 int use_ssl = FALSE;
+int use_starttls = FALSE;
 int use_sni = FALSE;
 short use_proxy_prefix = FALSE;
 short use_ehlo = FALSE;
@@ -186,12 +187,25 @@ main (int argc, char **argv)
 	result = my_tcp_connect (server_address, server_port, &sd);
 
 	if (result == STATE_OK) { /* we connected */
+#ifdef HAVE_SSL
+		if (use_ssl) {
+			result = np_net_ssl_init_with_hostname(sd, (use_sni ? server_address : NULL));
+			if (result != STATE_OK) {
+				printf (_("CRITICAL - Cannot create SSL context.\n"));
+				close(sd);
+				np_net_ssl_cleanup();
+				return STATE_CRITICAL;
+			} else {
+				ssl_established = 1;
+			}
+		}
+#endif
 
 		/* If requested, send PROXY header */
 		if (use_proxy_prefix) {
 			if (verbose)
 				printf ("Sending header %s\n", PROXY_PREFIX);
-			send(sd, PROXY_PREFIX, strlen(PROXY_PREFIX), 0);
+			my_send(PROXY_PREFIX, strlen(PROXY_PREFIX));
 		}
 
 		/* watch for the SMTP connection string and */
@@ -205,7 +219,7 @@ main (int argc, char **argv)
 		xasprintf(&server_response, "%s", buffer);
 
 		/* send the HELO/EHLO command */
-		send(sd, helocmd, strlen(helocmd), 0);
+		my_send(helocmd, strlen(helocmd));
 
 		/* allow for response to helo command to reach us */
 		if (recvlines(buffer, MAX_INPUT_BUFFER) <= 0) {
@@ -218,14 +232,14 @@ main (int argc, char **argv)
 			}
 		}
 
-		if(use_ssl && ! supports_tls){
+		if(use_starttls && ! supports_tls){
 			printf(_("WARNING - TLS not supported by server\n"));
 			smtp_quit();
 			return STATE_WARNING;
 		}
 
 #ifdef HAVE_SSL
-		if(use_ssl) {
+		if(use_starttls) {
 		  /* send the STARTTLS command */
 		  send(sd, SMTP_STARTTLS, strlen(SMTP_STARTTLS), 0);
 
@@ -489,6 +503,7 @@ process_arguments (int argc, char **argv)
 		{"use-ipv6", no_argument, 0, '6'},
 		{"help", no_argument, 0, 'h'},
 		{"lmtp", no_argument, 0, 'L'},
+		{"ssl", no_argument, 0, 's'},
 		{"starttls",no_argument,0,'S'},
 		{"sni", no_argument, 0, SNI_OPTION},
 		{"certificate",required_argument,0,'D'},
@@ -510,7 +525,7 @@ process_arguments (int argc, char **argv)
 	}
 
 	while (1) {
-		c = getopt_long (argc, argv, "+hVv46Lrt:p:f:e:c:w:H:C:R:SD:F:A:U:P:q",
+		c = getopt_long (argc, argv, "+hVv46Lrt:p:f:e:c:w:H:C:R:sSD:F:A:U:P:q",
 		                 longopts, &option);
 
 		if (c == -1 || c == EOF)
@@ -632,10 +647,13 @@ process_arguments (int argc, char **argv)
 #else
 			usage (_("SSL support not available - install OpenSSL and recompile"));
 #endif
-			// fall through
+		case 's':
+		/* ssl */
+			use_ssl = TRUE;
+			break;
 		case 'S':
 		/* starttls */
-			use_ssl = TRUE;
+			use_starttls = TRUE;
 			use_ehlo = TRUE;
 			break;
 		case SNI_OPTION:
@@ -694,6 +712,14 @@ process_arguments (int argc, char **argv)
 	if (from_arg==NULL)
 		from_arg = strdup(" ");
 
+	if (use_starttls && use_ssl) {
+		usage4 (_("Set either -s/--ssl or -S/--starttls"));
+	}
+
+	if (use_ssl && use_proxy_prefix) {
+		usage4 (_("PROXY protocol (-r/--proxy) is not implemented with SSL/TLS (-s/--ssl), yet."));
+	}
+
 	return validate_arguments ();
 }
 
@@ -851,6 +877,8 @@ print_help (void)
 #ifdef HAVE_SSL
   printf (" %s\n", "-D, --certificate=INTEGER[,INTEGER]");
   printf ("    %s\n", _("Minimum number of days a certificate has to be valid."));
+  printf (" %s\n", "-s, --ssl");
+  printf ("    %s\n", _("Use SSL/TLS for the connection."));
   printf (" %s\n", "-S, --starttls");
   printf ("    %s\n", _("Use STARTTLS for the connection."));
   printf (" %s\n", "--sni");
-- 
cgit v0.10-9-g596f