/***************************************************************************** * * Nagios check_smtp plugin * * License: GPL * Copyright (c) 2000-2007 Nagios Plugins Development Team * * Description: * * This file contains the check_smtp plugin * * This plugin will attempt to open an SMTP connection with the host. * * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . * * *****************************************************************************/ const char *progname = "check_smtp"; const char *copyright = "2000-2007"; const char *email = "nagiosplug-devel@lists.sourceforge.net"; #include "common.h" #include "netutils.h" #include "utils.h" #include "base64.h" #include #ifdef HAVE_SSL int check_cert = FALSE; int days_till_exp; # define my_recv(buf, len) ((use_ssl && ssl_established) ? np_net_ssl_read(buf, len) : read(sd, buf, len)) # define my_send(buf, len) ((use_ssl && ssl_established) ? np_net_ssl_write(buf, len) : send(sd, buf, len, 0)) #else /* ifndef HAVE_SSL */ # define my_recv(buf, len) read(sd, buf, len) # define my_send(buf, len) send(sd, buf, len, 0) #endif enum { SMTP_PORT = 25 }; #define SMTP_EXPECT "220" #define SMTP_HELO "HELO " #define SMTP_EHLO "EHLO " #define SMTP_QUIT "QUIT\r\n" #define SMTP_STARTTLS "STARTTLS\r\n" #define SMTP_AUTH_LOGIN "AUTH LOGIN\r\n" #ifndef HOST_MAX_BYTES #define HOST_MAX_BYTES 255 #endif #define EHLO_SUPPORTS_STARTTLS 1 int process_arguments (int, char **); int validate_arguments (void); void print_help (void); void print_usage (void); void smtp_quit(void); int recvline(char *, size_t); int recvlines(char *, size_t); int my_close(void); #include "regex.h" char regex_expect[MAX_INPUT_BUFFER] = ""; regex_t preg; regmatch_t pmatch[10]; char timestamp[20] = ""; char errbuf[MAX_INPUT_BUFFER]; int cflags = REG_EXTENDED | REG_NOSUB | REG_NEWLINE; int eflags = 0; int errcode, excode; int server_port = SMTP_PORT; char *server_address = NULL; char *server_expect = NULL; int smtp_use_dummycmd = 0; char *mail_command = NULL; char *from_arg = NULL; int ncommands=0; int command_size=0; int nresponses=0; int response_size=0; char **commands = NULL; char **responses = NULL; char *authtype = NULL; char *authuser = NULL; char *authpass = NULL; int warning_time = 0; int check_warning_time = FALSE; int critical_time = 0; int check_critical_time = FALSE; int verbose = 0; int use_ssl = FALSE; short use_ehlo = FALSE; short ssl_established = 0; char *localhostname = NULL; int sd; char buffer[MAX_INPUT_BUFFER]; enum { TCP_PROTOCOL = 1, UDP_PROTOCOL = 2, }; int main (int argc, char **argv) { short supports_tls=FALSE; int n = 0; double elapsed_time; long microsec; int result = STATE_UNKNOWN; char *cmd_str = NULL; char *helocmd = NULL; char *error_msg = ""; struct timeval tv; setlocale (LC_ALL, ""); bindtextdomain (PACKAGE, LOCALEDIR); textdomain (PACKAGE); /* Parse extra opts if any */ argv=np_extra_opts (&argc, argv, progname); if (process_arguments (argc, argv) == ERROR) usage4 (_("Could not parse arguments")); /* If localhostname not set on command line, use gethostname to set */ if(! localhostname){ localhostname = malloc (HOST_MAX_BYTES); if(!localhostname){ printf(_("malloc() failed!\n")); return STATE_CRITICAL; } if(gethostname(localhostname, HOST_MAX_BYTES)){ printf(_("gethostname() failed!\n")); return STATE_CRITICAL; } } if(use_ehlo) asprintf (&helocmd, "%s%s%s", SMTP_EHLO, localhostname, "\r\n"); else asprintf (&helocmd, "%s%s%s", SMTP_HELO, localhostname, "\r\n"); if (verbose) printf("HELOCMD: %s", helocmd); /* initialize the MAIL command with optional FROM command */ asprintf (&cmd_str, "%sFROM: %s%s", mail_command, from_arg, "\r\n"); if (verbose && smtp_use_dummycmd) printf ("FROM CMD: %s", cmd_str); /* initialize alarm signal handling */ (void) signal (SIGALRM, socket_timeout_alarm_handler); /* set socket timeout */ (void) alarm (socket_timeout); /* start timer */ gettimeofday (&tv, NULL); /* try to connect to the host at the given port number */ result = my_tcp_connect (server_address, server_port, &sd); if (result == STATE_OK) { /* we connected */ /* watch for the SMTP connection string and */ /* return a WARNING status if we couldn't read any data */ if (recvlines(buffer, MAX_INPUT_BUFFER) <= 0) { printf (_("recv() failed\n")); result = STATE_WARNING; } else { if (verbose) printf ("%s", buffer); /* strip the buffer of carriage returns */ strip (buffer); /* make sure we find the response we are looking for */ if (!strstr (buffer, server_expect)) { if (server_port == SMTP_PORT) printf (_("Invalid SMTP response received from host: %s\n"), buffer); else printf (_("Invalid SMTP response received from host on port %d: %s\n"), server_port, buffer); result = STATE_WARNING; } } /* send the HELO/EHLO command */ send(sd, helocmd, strlen(helocmd), 0); /* allow for response to helo command to reach us */ if (recvlines(buffer, MAX_INPUT_BUFFER) <= 0) { printf (_("recv() failed\n")); return STATE_WARNING; } else if(use_ehlo){ if(strstr(buffer, "250 STARTTLS") != NULL || strstr(buffer, "250-STARTTLS") != NULL){ supports_tls=TRUE; } } if(use_ssl && ! supports_tls){ printf(_("WARNING - TLS not supported by server\n")); smtp_quit(); return STATE_WARNING; } #ifdef HAVE_SSL if(use_ssl) { /* send the STARTTLS command */ send(sd, SMTP_STARTTLS, strlen(SMTP_STARTTLS), 0); recvlines(buffer, MAX_INPUT_BUFFER); /* wait for it */ if (!strstr (buffer, server_expect)) { printf (_("Server does not support STARTTLS\n")); smtp_quit(); return STATE_UNKNOWN; } result = np_net_ssl_init(sd); if(result != STATE_OK) { printf (_("CRITICAL - Cannot create SSL context.\n")); np_net_ssl_cleanup(); close(sd); return STATE_CRITICAL; } else { ssl_established = 1; } /* * Resend the EHLO command. * * RFC 3207 (4.2) says: ``The client MUST discard any knowledge * obtained from the server, such as the list of SMTP service * extensions, which was not obtained from the TLS negotiation * itself. The client SHOULD send an EHLO command as the first * command after a successful TLS negotiation.'' For this * reason, some MTAs will not allow an AUTH LOGIN command before * we resent EHLO via TLS. */ if (my_send(helocmd, strlen(helocmd)) <= 0) { printf("%s\n", _("SMTP UNKNOWN - Cannot send EHLO command via TLS.")); my_close(); return STATE_UNKNOWN; } if (verbose) printf(_("sent %s"), helocmd); if ((n = recvlines(buffer, MAX_INPUT_BUFFER)) <= 0) { printf("%s\n", _("SMTP UNKNOWN - Cannot read EHLO response via TLS.")); my_close(); return STATE_UNKNOWN; } if (verbose) { printf("%s", buffer); } # ifdef USE_OPENSSL if ( check_cert ) { result = np_net_ssl_check_cert(days_till_exp); if(result != STATE_OK){ printf ("%s\n", _("CRITICAL - Cannot retrieve server certificate.")); } my_close(); return result; } # endif /* USE_OPENSSL */ } #endif /* sendmail will syslog a "NOQUEUE" error if session does not attempt * to do something useful. This can be prevented by giving a command * even if syntax is illegal (MAIL requires a FROM:<...> argument) * * According to rfc821 you can include a null reversepath in the from command * - but a log message is generated on the smtp server. * * Use the -f option to provide a FROM address */ if (smtp_use_dummycmd) { my_send(cmd_str, strlen(cmd_str)); if (recvlines(buffer, MAX_INPUT_BUFFER) >= 1 && verbose) printf("%s", buffer); } while (n < ncommands) { asprintf (&cmd_str, "%s%s", commands[n], "\r\n"); my_send(cmd_str, strlen(cmd_str)); if (recvlines(buffer, MAX_INPUT_BUFFER) >= 1 && verbose) printf("%s", buffer); strip (buffer); if (n < nresponses) { cflags |= REG_EXTENDED | REG_NOSUB | REG_NEWLINE; errcode = regcomp (&preg, responses[n], cflags); if (errcode != 0) { regerror (errcode, &preg, errbuf, MAX_INPUT_BUFFER); printf (_("Could Not Compile Regular Expression")); return ERROR; } excode = regexec (&preg, buffer, 10, pmatch, eflags); if (excode == 0) { result = STATE_OK; } else if (excode == REG_NOMATCH) { result = STATE_WARNING; printf (_("SMTP %s - Invalid response '%s' to command '%s'\n"), state_text (result), buffer, commands[n]); } else { regerror (excode, &preg, errbuf, MAX_INPUT_BUFFER); printf (_("Execute Error: %s\n"), errbuf); result = STATE_UNKNOWN; } } n++; } if (authtype != NULL) { if (strcmp (authtype, "LOGIN") == 0) { char *abuf; int ret; do { if (authuser == NULL) { result = STATE_CRITICAL; asprintf(&error_msg, _("no authuser specified, ")); break; } if (authpass == NULL) { result = STATE_CRITICAL; asprintf(&error_msg, _("no authpass specified, ")); break; } /* send AUTH LOGIN */ my_send(SMTP_AUTH_LOGIN, strlen(SMTP_AUTH_LOGIN)); if (verbose) printf (_("sent %s\n"), "AUTH LOGIN"); if ((ret = recvlines(buffer, MAX_INPUT_BUFFER)) <= 0) { asprintf(&error_msg, _("recv() failed after AUTH LOGIN, ")); result = STATE_WARNING; break; } if (verbose) printf (_("received %s\n"), buffer); if (strncmp (buffer, "334", 3) != 0) { result = STATE_CRITICAL; asprintf(&error_msg, _("invalid response received after AUTH LOGIN, ")); break; } /* encode authuser with base64 */ base64_encode_alloc (authuser, strlen(authuser), &abuf); /* FIXME: abuf shouldn't have enough space to strcat a '\r\n' into it. */ strcat (abuf, "\r\n"); my_send(abuf, strlen(abuf)); if (verbose) printf (_("sent %s\n"), abuf); if ((ret = recvlines(buffer, MAX_INPUT_BUFFER)) <= 0) { result = STATE_CRITICAL; asprintf(&error_msg, _("recv() failed after sending authuser, ")); break; } if (verbose) { printf (_("received %s\n"), buffer); } if (strncmp (buffer, "334", 3) != 0) { result = STATE_CRITICAL; asprintf(&error_msg, _("invalid response received after authuser, ")); break; } /* encode authpass with base64 */ base64_encode_alloc (authpass, strlen(authpass), &abuf); /* FIXME: abuf shouldn't have enough space to strcat a '\r\n' into it. */ strcat (abuf, "\r\n"); my_send(abuf, strlen(abuf)); if (verbose) { printf (_("sent %s\n"), abuf); } if ((ret = recvlines(buffer, MAX_INPUT_BUFFER)) <= 0) { result = STATE_CRITICAL; asprintf(&error_msg, _("recv() failed after sending authpass, ")); break; } if (verbose) { printf (_("received %s\n"), buffer); } if (strncmp (buffer, "235", 3) != 0) { result = STATE_CRITICAL; asprintf(&error_msg, _("invalid response received after authpass, ")); break; } break; } while (0); } else { result = STATE_CRITICAL; asprintf(&error_msg, _("only authtype LOGIN is supported, ")); } } /* tell the server we're done */ smtp_quit(); /* finally close the connection */ close (sd); } /* reset the alarm */ alarm (0); microsec = deltime (tv); elapsed_time = (double)microsec / 1.0e6; if (result == STATE_OK) { if (check_critical_time && elapsed_time > (double) critical_time) result = STATE_CRITICAL; else if (check_warning_time && elapsed_time > (double) warning_time) result = STATE_WARNING; } printf (_("SMTP %s - %s%.3f sec. response time%s%s|%s\n"), state_text (result), error_msg, elapsed_time, verbose?", ":"", verbose?buffer:"", fperfdata ("time", elapsed_time, "s", (int)check_warning_time, warning_time, (int)check_critical_time, critical_time, TRUE, 0, FALSE, 0)); return result; } /* process command-line arguments */ int process_arguments (int argc, char **argv) { int c; int option = 0; static struct option longopts[] = { {"hostname", required_argument, 0, 'H'}, {"expect", required_argument, 0, 'e'}, {"critical", required_argument, 0, 'c'}, {"warning", required_argument, 0, 'w'}, {"timeout", required_argument, 0, 't'}, {"port", required_argument, 0, 'p'}, {"from", required_argument, 0, 'f'}, {"fqdn", required_argument, 0, 'F'}, {"authtype", required_argument, 0, 'A'}, {"authuser", required_argument, 0, 'U'}, {"authpass", required_argument, 0, 'P'}, {"command", required_argument, 0, 'C'}, {"response", required_argument, 0, 'R'}, {"verbose", no_argument, 0, 'v'}, {"version", no_argument, 0, 'V'}, {"use-ipv4", no_argument, 0, '4'}, {"use-ipv6", no_argument, 0, '6'}, {"help", no_argument, 0, 'h'}, {"starttls",no_argument,0,'S'}, {"certificate",required_argument,0,'D'}, {0, 0, 0, 0} }; if (argc < 2) return ERROR; for (c = 1; c < argc; c++) { if (strcmp ("-to", argv[c]) == 0) strcpy (argv[c], "-t"); else if (strcmp ("-wt", argv[c]) == 0) strcpy (argv[c], "-w"); else if (strcmp ("-ct", argv[c]) == 0) strcpy (argv[c], "-c"); } while (1) { c = getopt_long (argc, argv, "+hVv46t:p:f:e:c:w:H:C:R:SD:F:A:U:P:", longopts, &option); if (c == -1 || c == EOF) break; switch (c) { case 'H': /* hostname */ if (is_host (optarg)) { server_address = optarg; } else { usage2 (_("Invalid hostname/address"), optarg); } break; case 'p': /* port */ if (is_intpos (optarg)) server_port = atoi (optarg); else usage4 (_("Port must be a positive integer")); break; case 'F': /* localhostname */ localhostname = strdup(optarg); break; case 'f': /* from argument */ from_arg = optarg; smtp_use_dummycmd = 1; break; case 'A': authtype = optarg; use_ehlo = TRUE; break; case 'U': authuser = optarg; break; case 'P': authpass = optarg; break; case 'e': /* server expect string on 220 */ server_expect = optarg; break; case 'C': /* commands */ if (ncommands >= command_size) { command_size+=8; commands = realloc (commands, sizeof(char *) * command_size); if (commands == NULL) die (STATE_UNKNOWN, _("Could not realloc() units [%d]\n"), ncommands); } commands[ncommands] = (char *) malloc (sizeof(char) * 255); strncpy (commands[ncommands], optarg, 255); ncommands++; break; case 'R': /* server responses */ if (nresponses >= response_size) { response_size += 8; responses = realloc (responses, sizeof(char *) * response_size); if (responses == NULL) die (STATE_UNKNOWN, _("Could not realloc() units [%d]\n"), nresponses); } responses[nresponses] = (char *) malloc (sizeof(char) * 255); strncpy (responses[nresponses], optarg, 255); nresponses++; break; case 'c': /* critical time threshold */ if (is_intnonneg (optarg)) { critical_time = atoi (optarg); check_critical_time = TRUE; } else { usage4 (_("Critical time must be a positive integer")); } break; case 'w': /* warning time threshold */ if (is_intnonneg (optarg)) { warning_time = atoi (optarg); check_warning_time = TRUE; } else { usage4 (_("Warning time must be a positive integer")); } break; case 'v': /* verbose */ verbose++; break; case 't': /* timeout */ if (is_intnonneg (optarg)) { socket_timeout = atoi (optarg); } else { usage4 (_("Timeout interval must be a positive integer")); } break; case 'S': /* starttls */ use_ssl = TRUE; use_ehlo = TRUE; break; case 'D': /* Check SSL cert validity */ #ifdef USE_OPENSSL if (!is_intnonneg (optarg)) usage2 ("Invalid certificate expiration period",optarg); days_till_exp = atoi (optarg); check_cert = TRUE; #else usage (_("SSL support not available - install OpenSSL and recompile")); #endif break; case '4': address_family = AF_INET; break; case '6': #ifdef USE_IPV6 address_family = AF_INET6; #else usage4 (_("IPv6 support not available")); #endif break; case 'V': /* version */ print_revision (progname, NP_VERSION); exit (STATE_OK); case 'h': /* help */ print_help (); exit (STATE_OK); case '?': /* help */ usage5 (); } } c = optind; if (server_address == NULL) { if (argv[c]) { if (is_host (argv[c])) server_address = argv[c]; else usage2 (_("Invalid hostname/address"), argv[c]); } else { asprintf (&server_address, "127.0.0.1"); } } if (server_expect == NULL) server_expect = strdup (SMTP_EXPECT); if (mail_command == NULL) mail_command = strdup("MAIL "); if (from_arg==NULL) from_arg = strdup(" "); return validate_arguments (); } int validate_arguments (void) { return OK; } void smtp_quit(void) { int bytes; my_send(SMTP_QUIT, strlen(SMTP_QUIT)); if (verbose) printf(_("sent %s\n"), "QUIT"); /* read the response but don't care about problems */ bytes = recvlines(buffer, MAX_INPUT_BUFFER); if (verbose) { if (bytes < 0) printf(_("recv() failed after QUIT.")); else if (bytes == 0) printf(_("Connection reset by peer.")); else { buffer[bytes] = '\0'; printf(_("received %s\n"), buffer); } } } /* * Receive one line, copy it into buf and nul-terminate it. Returns the * number of bytes written to buf (excluding the '\0') or 0 on EOF or <0 on * error. * * TODO: Reading one byte at a time is very inefficient. Replace this by a * function which buffers the data, move that to netutils.c and change * check_smtp and other plugins to use that. Also, remove (\r)\n. */ int recvline(char *buf, size_t bufsize) { int result; unsigned i; for (i = result = 0; i < bufsize - 1; i++) { if ((result = my_recv(&buf[i], 1)) != 1) break; if (buf[i] == '\n') { buf[++i] = '\0'; return i; } } return (result == 1 || i == 0) ? -2 : result; /* -2 if out of space */ } /* * Receive one or more lines, copy them into buf and nul-terminate it. Returns * the number of bytes written to buf (excluding the '\0') or 0 on EOF or <0 on * error. Works for all protocols which format multiline replies as follows: * * ``The format for multiline replies requires that every line, except the last, * begin with the reply code, followed immediately by a hyphen, `-' (also known * as minus), followed by text. The last line will begin with the reply code, * followed immediately by , optionally some text, and . As noted * above, servers SHOULD send the if subsequent text is not sent, but * clients MUST be prepared for it to be omitted.'' (RFC 2821, 4.2.1) * * TODO: Move this to netutils.c. Also, remove \r and possibly the final \n. */ int recvlines(char *buf, size_t bufsize) { int result, i; for (i = 0; /* forever */; i += result) if (!((result = recvline(buf + i, bufsize - i)) > 3 && isdigit((int)buf[i]) && isdigit((int)buf[i + 1]) && isdigit((int)buf[i + 2]) && buf[i + 3] == '-')) break; return (result <= 0) ? result : result + i; } int my_close (void) { #ifdef HAVE_SSL np_net_ssl_cleanup(); #endif return close(sd); } void print_help (void) { char *myport; asprintf (&myport, "%d", SMTP_PORT); print_revision (progname, NP_VERSION); printf ("Copyright (c) 1999-2001 Ethan Galstad \n"); printf (COPYRIGHT, copyright, email); printf("%s\n", _("This plugin will attempt to open an SMTP connection with the host.")); printf ("\n\n"); print_usage (); printf (UT_HELP_VRSN); printf (UT_EXTRA_OPTS); printf (UT_HOST_PORT, 'p', myport); printf (UT_IPv46); printf (" %s\n", "-e, --expect=STRING"); printf (_(" String to expect in first line of server response (default: '%s')\n"), SMTP_EXPECT); printf (" %s\n", "-C, --command=STRING"); printf (" %s\n", _("SMTP command (may be used repeatedly)")); printf (" %s\n", "-R, --command=STRING"); printf (" %s\n", _("Expected response to command (may be used repeatedly)")); printf (" %s\n", "-f, --from=STRING"); printf (" %s\n", _("FROM-address to include in MAIL command, required by Exchange 2000")), #ifdef HAVE_SSL printf (" %s\n", "-D, --certificate=INTEGER"); printf (" %s\n", _("Minimum number of days a certificate has to be valid.")); printf (" %s\n", "-S, --starttls"); printf (" %s\n", _("Use STARTTLS for the connection.")); #endif printf (" %s\n", "-A, --authtype=STRING"); printf (" %s\n", _("SMTP AUTH type to check (default none, only LOGIN supported)")); printf (" %s\n", "-U, --authuser=STRING"); printf (" %s\n", _("SMTP AUTH username")); printf (" %s\n", "-P, --authpass=STRING"); printf (" %s\n", _("SMTP AUTH password")); printf (UT_WARN_CRIT); printf (UT_TIMEOUT, DEFAULT_SOCKET_TIMEOUT); printf (UT_VERBOSE); printf("\n"); printf ("%s\n", _("Successul connects return STATE_OK, refusals and timeouts return")); printf ("%s\n", _("STATE_CRITICAL, other errors return STATE_UNKNOWN. Successful")); printf ("%s\n", _("connects, but incorrect reponse messages from the host result in")); printf ("%s\n", _("STATE_WARNING return values.")); printf (UT_SUPPORT); } void print_usage (void) { printf (_("Usage:")); printf ("%s -H host [-p port] [-e expect] [-C command] [-f from addr]", progname); printf ("[-A authtype -U authuser -P authpass] [-w warn] [-c crit] [-t timeout]\n"); printf ("[-S] [-D days] [-v] [-4|-6]\n"); }