From d00a65f8172ea55b6b4938c65ae0568dbd03b9c0 Mon Sep 17 00:00:00 2001 From: Ton Voon Date: Thu, 12 Oct 2006 20:36:46 +0000 Subject: [PATCH] Resend EHLO after TLS negotiation as per RFC3207 (Holger Weiss - 1482832) git-svn-id: https://nagiosplug.svn.sourceforge.net/svnroot/nagiosplug/nagiosplug/trunk@1493 f882894a-f735-0410-b71e-b25c423dba1c --- plugins/check_smtp.c | 34 ++++++++++++++++++++++++-- plugins/t/check_smtp.t | 55 ++++++++++++++++++++++++++++-------------- 2 files changed, 69 insertions(+), 20 deletions(-) diff --git a/plugins/check_smtp.c b/plugins/check_smtp.c index e7cf2ea..e4da30e 100644 --- a/plugins/check_smtp.c +++ b/plugins/check_smtp.c @@ -282,6 +282,35 @@ main (int argc, char **argv) } else { ssl_established = 1; } + + /* + * Resend the EHLO command. + * + * RFC 3207 (4.2) says: ``The client MUST discard any knowledge + * obtained from the server, such as the list of SMTP service + * extensions, which was not obtained from the TLS negotiation + * itself. The client SHOULD send an EHLO command as the first + * command after a successful TLS negotiation.'' For this + * reason, some MTAs will not allow an AUTH LOGIN command before + * we resent EHLO via TLS. + */ + if (my_send(helocmd, strlen(helocmd)) <= 0) { + printf(_("SMTP UNKNOWN - Cannot send EHLO command via TLS.\n")); + my_close(); + return STATE_UNKNOWN; + } + if (verbose) + printf(_("sent %s"), helocmd); + if ((n = my_recv(buffer, MAX_INPUT_BUFFER - 1)) <= 0) { + printf(_("SMTP UNKNOWN - Cannot read EHLO response via TLS.\n")); + my_close(); + return STATE_UNKNOWN; + } + if (verbose) { + buffer[n] = '\0'; + printf("%s", buffer); + } + # ifdef USE_OPENSSL if ( check_cert ) { result = np_net_ssl_check_cert(days_till_exp); @@ -705,8 +734,8 @@ print_help (void) printf (_(UT_IPv46)); printf (" %s\n", "-e, --expect=STRING"); - printf (_("String to expect in first line of server response (default: '%s')"),SMTP_EXPECT); - printf (" %s\n\n", "-n, nocommand\n"); + printf (_(" String to expect in first line of server response (default: '%s')\n"), SMTP_EXPECT); + printf (" %s\n", "-n, nocommand"); printf (" %s\n", _("Suppress SMTP command")); printf (" %s\n", "-C, --command=STRING"); printf (" %s\n", _("SMTP command (may be used repeatedly)")); @@ -734,6 +763,7 @@ print_help (void) printf (_(UT_VERBOSE)); + printf("\n"); printf ("%s\n", _("Successul connects return STATE_OK, refusals and timeouts return")); printf ("%s\n", _("STATE_CRITICAL, other errors return STATE_UNKNOWN. Successful")); printf ("%s\n", _("connects, but incorrect reponse messages from the host result in")); diff --git a/plugins/t/check_smtp.t b/plugins/t/check_smtp.t index 3bf32ec..0046a58 100644 --- a/plugins/t/check_smtp.t +++ b/plugins/t/check_smtp.t @@ -6,29 +6,48 @@ # use strict; -use Test; +use Test::More; use NPTest; -use vars qw($tests); -BEGIN {$tests = 5; plan tests => $tests} +my $host_tcp_smtp = getTestParameter( "NP_HOST_TCP_SMTP", + "A host providing an SMTP Service (a mail server)", "mailhost"); -my $host_tcp_smtp = getTestParameter( "host_tcp_smtp", "NP_HOST_TCP_SMTP", "mailhost", - "A host providing an STMP Service (a mail server)"); +my $host_nonresponsive = getTestParameter( "NP_HOST_NONRESPONSIVE", + "The hostname of system not responsive to network requests", "10.0.0.1" ); -my $host_nonresponsive = getTestParameter( "host_nonresponsive", "NP_HOST_NONRESPONSIVE", "10.0.0.1", - "The hostname of system not responsive to network requests" ); +my $hostname_invalid = getTestParameter( "NP_HOSTNAME_INVALID", + "An invalid (not known to DNS) hostname", "nosuchhost" ); +my $res; -my $hostname_invalid = getTestParameter( "hostname_invalid", "NP_HOSTNAME_INVALID", "nosuchhost", - "An invalid (not known to DNS) hostname" ); -my %exceptions = ( 2 => "No SMTP Server present?" ); +plan tests => 8; -my $t; +SKIP: { + skip "No SMTP server defined", 3 unless $host_tcp_smtp; + $res = NPTest->testCmd( "./check_smtp $host_tcp_smtp" ); + is ($res->return_code, 0, "OK"); + + $res = NPTest->testCmd( "./check_smtp -H $host_tcp_smtp -p 25 -w 9 -c 9 -t 10 -e 220" ); + is ($res->return_code, 0, "OK, within 9 second response"); -$t += checkCmd( "./check_smtp $host_tcp_smtp", 0, undef, %exceptions ); -$t += checkCmd( "./check_smtp -H $host_tcp_smtp -p 25 -t 1 -w 9 -c 9 -t 10 -e 220", 0, undef, %exceptions ); -$t += checkCmd( "./check_smtp -H $host_tcp_smtp -p 25 -wt 9 -ct 9 -to 10 -e 220", 0, undef, %exceptions ); -$t += checkCmd( "./check_smtp $host_nonresponsive", 2 ); -$t += checkCmd( "./check_smtp $hostname_invalid", 3 ); + $res = NPTest->testCmd( "./check_smtp -H $host_tcp_smtp -p 25 -wt 9 -ct 9 -to 10 -e 220" ); + is ($res->return_code, 0, "OK, old syntax"); + + $res = NPTest->testCmd( "./check_smtp -H $host_tcp_smtp -e 221" ); + is ($res->return_code, 1, "WARNING - got correct error when expecting 221 instead of 220" ); + + TODO: { + local $TODO = "Output is over two lines"; + like ( $res->output, qr/^SMTP WARNING/, "Correct error message" ); + } + + # SSL connection + $res = NPTest->testCmd( "./check_smtp -H $host_tcp_smtp -p 25 -S" ); + is ($res->return_code, 0, "OK, with STARTTLS" ); +} + +$res = NPTest->testCmd( "./check_smtp $host_nonresponsive" ); +is ($res->return_code, 2, "CRITICAL - host non responding" ); + +$res = NPTest->testCmd( "./check_smtp $hostname_invalid" ); +is ($res->return_code, 3, "UNKNOWN - hostname invalid" ); -exit(0) if defined($Test::Harness::VERSION); -exit($tests - $t); -- 2.30.2