/****************************************************************************** This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. $Id: check_smtp.c,v 1.43 2005/01/01 16:15:39 tonvoon Exp $ ******************************************************************************/ const char *progname = "check_smtp"; const char *revision = "$Revision: 1.43 $"; const char *copyright = "2000-2004"; const char *email = "nagiosplug-devel@lists.sourceforge.net"; #include "common.h" #include "netutils.h" #include "utils.h" #ifdef HAVE_SSL_H # include # include # include # include # include # include #else # ifdef HAVE_OPENSSL_SSL_H # include # include # include # include # include # include # endif #endif #ifdef HAVE_SSL int check_cert = FALSE; int days_till_exp; SSL_CTX *ctx; SSL *ssl; X509 *server_cert; int connect_STARTTLS (void); int check_certificate (X509 **); #endif enum { SMTP_PORT = 25 }; const char *SMTP_EXPECT = "220"; const char *SMTP_HELO = "HELO "; const char *SMTP_QUIT = "QUIT\r\n"; const char *SMTP_STARTTLS = "STARTTLS\r\n"; int process_arguments (int, char **); int validate_arguments (void); void print_help (void); void print_usage (void); int myrecv(void); int my_close(void); #ifdef HAVE_REGEX_H #include char regex_expect[MAX_INPUT_BUFFER] = ""; regex_t preg; regmatch_t pmatch[10]; char timestamp[10] = ""; char errbuf[MAX_INPUT_BUFFER]; int cflags = REG_EXTENDED | REG_NOSUB | REG_NEWLINE; int eflags = 0; int errcode, excode; #endif int server_port = SMTP_PORT; char *server_address = NULL; char *server_expect = NULL; int smtp_use_dummycmd = 0; char *mail_command = NULL; char *from_arg = NULL; int ncommands=0; int command_size=0; int nresponses=0; int response_size=0; char **commands = NULL; char **responses = NULL; int warning_time = 0; int check_warning_time = FALSE; int critical_time = 0; int check_critical_time = FALSE; int verbose = 0; int use_ssl = FALSE; int sd; char buffer[MAX_INPUT_BUFFER]; enum { TCP_PROTOCOL = 1, UDP_PROTOCOL = 2, MAXBUF = 1024 }; int main (int argc, char **argv) { int n = 0; double elapsed_time; long microsec; int result = STATE_UNKNOWN; char *cmd_str = NULL; char *helocmd = NULL; struct timeval tv; setlocale (LC_ALL, ""); bindtextdomain (PACKAGE, LOCALEDIR); textdomain (PACKAGE); if (process_arguments (argc, argv) == ERROR) usage4 (_("Could not parse arguments")); /* initialize the HELO command with the localhostname */ #ifndef HOST_MAX_BYTES #define HOST_MAX_BYTES 255 #endif helocmd = malloc (HOST_MAX_BYTES); gethostname(helocmd, HOST_MAX_BYTES); asprintf (&helocmd, "%s%s%s", SMTP_HELO, helocmd, "\r\n"); /* initialize the MAIL command with optional FROM command */ asprintf (&cmd_str, "%sFROM: %s%s", mail_command, from_arg, "\r\n"); if (verbose && smtp_use_dummycmd) printf ("FROM CMD: %s", cmd_str); /* initialize alarm signal handling */ (void) signal (SIGALRM, socket_timeout_alarm_handler); /* set socket timeout */ (void) alarm (socket_timeout); /* start timer */ gettimeofday (&tv, NULL); /* try to connect to the host at the given port number */ result = my_tcp_connect (server_address, server_port, &sd); if (result == STATE_OK) { /* we connected */ /* watch for the SMTP connection string and */ /* return a WARNING status if we couldn't read any data */ if (recv (sd, buffer, MAX_INPUT_BUFFER - 1, 0) == -1) { printf (_("recv() failed\n")); result = STATE_WARNING; } else { if (verbose) printf ("%s", buffer); /* strip the buffer of carriage returns */ strip (buffer); /* make sure we find the response we are looking for */ if (!strstr (buffer, server_expect)) { if (server_port == SMTP_PORT) printf (_("Invalid SMTP response received from host\n")); else printf (_("Invalid SMTP response received from host on port %d\n"), server_port); result = STATE_WARNING; } } #ifdef HAVE_SSL if(use_ssl) { send(sd, helocmd, strlen(helocmd), 0); recv(sd,buffer, MAX_INPUT_BUFFER-1, 0); // wait for it /* send the STARTTLS command */ send(sd, SMTP_STARTTLS, strlen(SMTP_STARTTLS), 0); recv(sd,buffer, MAX_INPUT_BUFFER-1, 0); // wait for it if (!strstr (buffer, server_expect)) { printf (_("Server does not support STARTTLS : %s \n"),buffer); return STATE_UNKNOWN; } if(connect_STARTTLS() != OK) { printf (_("CRITICAL - Cannot create SSL context.: %s \n"),buffer); return STATE_CRITICAL; } if ( check_cert ) { if ((server_cert = SSL_get_peer_certificate (ssl)) != NULL) { result = check_certificate (&server_cert); X509_free(server_cert); } else { printf (_("CRITICAL - Cannot retrieve server certificate.: %s \n"),buffer); result = STATE_CRITICAL; } my_close(); return result; } } #endif /* send the HELO command */ #ifdef HAVE_SSL if (use_ssl) SSL_write(ssl, helocmd, strlen(helocmd)); else #endif send(sd, helocmd, strlen(helocmd), 0); /* allow for response to helo command to reach us */ myrecv(); /* sendmail will syslog a "NOQUEUE" error if session does not attempt * to do something useful. This can be prevented by giving a command * even if syntax is illegal (MAIL requires a FROM:<...> argument) * * According to rfc821 you can include a null reversepath in the from command * - but a log message is generated on the smtp server. * * You can disable sending mail_command with '--nocommand' * Use the -f option to provide a FROM address */ if (smtp_use_dummycmd) { #ifdef HAVE_SSL if (use_ssl) SSL_write(ssl, cmd_str, strlen(cmd_str)); else #endif send(sd, cmd_str, strlen(cmd_str), 0); myrecv(); if (verbose) printf("%s", buffer); } while (n < ncommands) { asprintf (&cmd_str, "%s%s", commands[n], "\r\n"); #ifdef HAVE_SSL if (use_ssl) SSL_write(ssl,cmd_str, strlen(cmd_str)); else #endif send(sd, cmd_str, strlen(cmd_str), 0); myrecv(); if (verbose) printf("%s", buffer); strip (buffer); if (n < nresponses) { #ifdef HAVE_REGEX_H cflags |= REG_EXTENDED | REG_NOSUB | REG_NEWLINE; //strncpy (regex_expect, responses[n], sizeof (regex_expect) - 1); //regex_expect[sizeof (regex_expect) - 1] = '\0'; errcode = regcomp (&preg, responses[n], cflags); if (errcode != 0) { regerror (errcode, &preg, errbuf, MAX_INPUT_BUFFER); printf (_("Could Not Compile Regular Expression")); return ERROR; } excode = regexec (&preg, buffer, 10, pmatch, eflags); if (excode == 0) { result = STATE_OK; } else if (excode == REG_NOMATCH) { result = STATE_WARNING; printf (_("SMTP %s - Invalid response '%s' to command '%s'\n"), state_text (result), buffer, commands[n]); } else { regerror (excode, &preg, errbuf, MAX_INPUT_BUFFER); printf (_("Execute Error: %s\n"), errbuf); result = STATE_UNKNOWN; } #else if (strstr(buffer, responses[n])!=buffer) { result = STATE_WARNING; printf (_("SMTP %s - Invalid response '%s' to command '%s'\n"), state_text (result), buffer, commands[n]); } #endif } n++; } /* tell the server we're done */ #ifdef HAVE_SSL if (use_ssl) SSL_write(ssl,SMTP_QUIT, strlen (SMTP_QUIT)); else #endif send (sd, SMTP_QUIT, strlen (SMTP_QUIT), 0); /* finally close the connection */ close (sd); } /* reset the alarm */ alarm (0); microsec = deltime (tv); elapsed_time = (double)microsec / 1.0e6; if (result == STATE_OK) { if (check_critical_time && elapsed_time > (double) critical_time) result = STATE_CRITICAL; else if (check_warning_time && elapsed_time > (double) warning_time) result = STATE_WARNING; } printf (_("SMTP %s - %.3f sec. response time%s%s|%s\n"), state_text (result), elapsed_time, verbose?", ":"", verbose?buffer:"", fperfdata ("time", elapsed_time, "s", (int)check_warning_time, warning_time, (int)check_critical_time, critical_time, TRUE, 0, FALSE, 0)); return result; } /* process command-line arguments */ int process_arguments (int argc, char **argv) { int c; int option = 0; static struct option longopts[] = { {"hostname", required_argument, 0, 'H'}, {"expect", required_argument, 0, 'e'}, {"critical", required_argument, 0, 'c'}, {"warning", required_argument, 0, 'w'}, {"timeout", required_argument, 0, 't'}, {"port", required_argument, 0, 'p'}, {"from", required_argument, 0, 'f'}, {"command", required_argument, 0, 'C'}, {"response", required_argument, 0, 'R'}, {"nocommand", required_argument, 0, 'n'}, {"verbose", no_argument, 0, 'v'}, {"version", no_argument, 0, 'V'}, {"use-ipv4", no_argument, 0, '4'}, {"use-ipv6", no_argument, 0, '6'}, {"help", no_argument, 0, 'h'}, {"starttls",no_argument,0,'S'}, {"certificate",required_argument,0,'D'}, {0, 0, 0, 0} }; if (argc < 2) return ERROR; for (c = 1; c < argc; c++) { if (strcmp ("-to", argv[c]) == 0) strcpy (argv[c], "-t"); else if (strcmp ("-wt", argv[c]) == 0) strcpy (argv[c], "-w"); else if (strcmp ("-ct", argv[c]) == 0) strcpy (argv[c], "-c"); } while (1) { c = getopt_long (argc, argv, "+hVv46t:p:f:e:c:w:H:C:R:SD:", longopts, &option); if (c == -1 || c == EOF) break; switch (c) { case 'H': /* hostname */ if (is_host (optarg)) { server_address = optarg; } else { usage2 (_("Invalid hostname/address"), optarg); } break; case 'p': /* port */ if (is_intpos (optarg)) server_port = atoi (optarg); else usage4 (_("Port must be a positive integer")); break; case 'f': /* from argument */ from_arg = optarg; smtp_use_dummycmd = 1; break; case 'e': /* server expect string on 220 */ server_expect = optarg; break; case 'C': /* commands */ if (ncommands >= command_size) { commands = realloc (commands, command_size+8); if (commands == NULL) die (STATE_UNKNOWN, _("Could not realloc() units [%d]\n"), ncommands); } commands[ncommands] = optarg; ncommands++; break; case 'R': /* server responses */ if (nresponses >= response_size) { responses = realloc (responses, response_size+8); if (responses == NULL) die (STATE_UNKNOWN, _("Could not realloc() units [%d]\n"), nresponses); } responses[nresponses] = optarg; nresponses++; break; case 'c': /* critical time threshold */ if (is_intnonneg (optarg)) { critical_time = atoi (optarg); check_critical_time = TRUE; } else { usage4 (_("Critical time must be a positive integer")); } break; case 'w': /* warning time threshold */ if (is_intnonneg (optarg)) { warning_time = atoi (optarg); check_warning_time = TRUE; } else { usage4 (_("Warning time must be a positive integer")); } break; case 'v': /* verbose */ verbose++; break; case 't': /* timeout */ if (is_intnonneg (optarg)) { socket_timeout = atoi (optarg); } else { usage4 (_("Timeout interval must be a positive integer")); } break; case 'S': /* starttls */ use_ssl = TRUE; break; case 'D': /* Check SSL cert validity */ #ifdef HAVE_SSL if (!is_intnonneg (optarg)) usage2 ("Invalid certificate expiration period",optarg); days_till_exp = atoi (optarg); check_cert = TRUE; #else usage (_("SSL support not available - install OpenSSL and recompile")); #endif break; case '4': address_family = AF_INET; break; case '6': #ifdef USE_IPV6 address_family = AF_INET6; #else usage4 (_("IPv6 support not available")); #endif break; case 'V': /* version */ print_revision (progname, revision); exit (STATE_OK); case 'h': /* help */ print_help (); exit (STATE_OK); case '?': /* help */ usage2 (_("Unknown argument"), optarg); } } c = optind; if (server_address == NULL) { if (argv[c]) { if (is_host (argv[c])) server_address = argv[c]; else usage2 (_("Invalid hostname/address"), argv[c]); } else { asprintf (&server_address, "127.0.0.1"); } } if (server_expect == NULL) server_expect = strdup (SMTP_EXPECT); if (mail_command == NULL) mail_command = strdup("MAIL "); if (from_arg==NULL) from_arg = strdup(" "); return validate_arguments (); } int validate_arguments (void) { return OK; } void print_help (void) { char *myport; asprintf (&myport, "%d", SMTP_PORT); print_revision (progname, revision); printf ("Copyright (c) 1999-2001 Ethan Galstad \n"); printf (COPYRIGHT, copyright, email); printf(_("This plugin will attempt to open an SMTP connection with the host.\n\n")); print_usage (); printf (_(UT_HELP_VRSN)); printf (_(UT_HOST_PORT), 'p', myport); printf (_(UT_IPv46)); printf (_("\ -e, --expect=STRING\n\ String to expect in first line of server response (default: '%s')\n\ -n, nocommand\n\ Suppress SMTP command\n\ -C, --command=STRING\n\ SMTP command (may be used repeatedly)\n\ -R, --command=STRING\n\ Expected response to command (may be used repeatedly)\n\ -f, --from=STRING\n\ FROM-address to include in MAIL command, required by Exchange 2000\n"), SMTP_EXPECT); #ifdef HAVE_SSL printf (_("\ -D, --certificate=INTEGER\n\ Minimum number of days a certificate has to be valid.\n\ -S, --starttls\n\ Use STARTTLS for the connection.\n")); #endif printf (_(UT_WARN_CRIT)); printf (_(UT_TIMEOUT), DEFAULT_SOCKET_TIMEOUT); printf (_(UT_VERBOSE)); printf(_("\n\ Successul connects return STATE_OK, refusals and timeouts return\n\ STATE_CRITICAL, other errors return STATE_UNKNOWN. Successful\n\ connects, but incorrect reponse messages from the host result in\n\ STATE_WARNING return values.\n")); printf (_(UT_SUPPORT)); } void print_usage (void) { printf ("\ Usage: %s -H host [-p port] [-e expect] [-C command] [-f from addr]\n\ [-w warn] [-c crit] [-t timeout] [-S] [-D days] [-n] [-v] [-4|-6]\n", progname); } #ifdef HAVE_SSL int connect_STARTTLS (void) { SSL_METHOD *meth; /* Initialize SSL context */ SSLeay_add_ssl_algorithms (); meth = SSLv2_client_method (); SSL_load_error_strings (); if ((ctx = SSL_CTX_new (meth)) == NULL) { printf(_("CRITICAL - Cannot create SSL context.\n")); return STATE_CRITICAL; } /* do the SSL handshake */ if ((ssl = SSL_new (ctx)) != NULL) { SSL_set_fd (ssl, sd); /* original version checked for -1 I look for success instead (1) */ if (SSL_connect (ssl) == 1) return OK; ERR_print_errors_fp (stderr); } else { printf (_("CRITICAL - Cannot initiate SSL handshake.\n")); } /* this causes a seg faul not sure why, being sloppy and commenting it out */ // SSL_free (ssl); SSL_CTX_free(ctx); my_close(); return STATE_CRITICAL; } int check_certificate (X509 ** certificate) { ASN1_STRING *tm; int offset; struct tm stamp; int days_left; /* Retrieve timestamp of certificate */ tm = X509_get_notAfter (*certificate); /* Generate tm structure to process timestamp */ if (tm->type == V_ASN1_UTCTIME) { if (tm->length < 10) { printf (_("CRITICAL - Wrong time format in certificate.\n")); return STATE_CRITICAL; } else { stamp.tm_year = (tm->data[0] - '0') * 10 + (tm->data[1] - '0'); if (stamp.tm_year < 50) stamp.tm_year += 100; offset = 0; } } else { if (tm->length < 12) { printf (_("CRITICAL - Wrong time format in certificate.\n")); return STATE_CRITICAL; } else { stamp.tm_year = (tm->data[0] - '0') * 1000 + (tm->data[1] - '0') * 100 + (tm->data[2] - '0') * 10 + (tm->data[3] - '0'); stamp.tm_year -= 1900; offset = 2; } } stamp.tm_mon = (tm->data[2 + offset] - '0') * 10 + (tm->data[3 + offset] - '0') - 1; stamp.tm_mday = (tm->data[4 + offset] - '0') * 10 + (tm->data[5 + offset] - '0'); stamp.tm_hour = (tm->data[6 + offset] - '0') * 10 + (tm->data[7 + offset] - '0'); stamp.tm_min = (tm->data[8 + offset] - '0') * 10 + (tm->data[9 + offset] - '0'); stamp.tm_sec = 0; stamp.tm_isdst = -1; days_left = (mktime (&stamp) - time (NULL)) / 86400; snprintf (timestamp, 16, "%02d/%02d/%04d %02d:%02d", stamp.tm_mon + 1, stamp.tm_mday, stamp.tm_year + 1900, stamp.tm_hour, stamp.tm_min); if (days_left > 0 && days_left <= days_till_exp) { printf ("Certificate expires in %d day(s) (%s).\n", days_left, timestamp); return STATE_WARNING; } if (days_left < 0) { printf ("Certificate expired on %s.\n", timestamp); return STATE_CRITICAL; } if (days_left == 0) { printf ("Certificate expires today (%s).\n", timestamp); return STATE_WARNING; } printf ("Certificate will expire on %s.\n", timestamp); return STATE_OK; } #endif int myrecv (void) { int i; #ifdef HAVE_SSL if (use_ssl) { i = SSL_read (ssl, buffer, MAXBUF - 1); } else { #endif i = read (sd, buffer, MAXBUF - 1); #ifdef HAVE_SSL } #endif return i; } int myrecv_norm (void) { int i; i = read (sd, buffer, MAXBUF - 1); return i; } int my_close (void) { #ifdef HAVE_SSL if (use_ssl == TRUE) { SSL_shutdown (ssl); SSL_free (ssl); SSL_CTX_free (ctx); return 0; } else { #endif return close(sd); #ifdef HAVE_SSL } #endif }