[Nagiosplug-devel] PATCH: SMTP auth support in nagios plugin check_smtp.c

Holger Weiss holger at CIS.FU-Berlin.DE
Wed Nov 2 19:16:16 CET 2005


* Lubomir Host <rajo at platon.sk> [2005-11-02 10:28]:
> But check also patch from Holger Weiss
> https://sourceforge.net/mailarchive/forum.php?forum_id=8499&max_rows=25&style=flat&viewmonth=200511&viewday=1
> Here is a part "resend the EHLO command - RFC 3207". I don't have this
> fragment of code in my version, because my version is tested only with
> postfix, not exim.

Yes, with Exim you'll get an "503 AUTH command used when not advertised"
error if trying to use AUTH without (re)sending EHLO _after_ the TLS
negotiation (if Exim was configured to allow SMTP AUTH only via TLS).
Apart from that, your patch works fine for me.

I've attached a patch for the current code, it would be nice if it could
be applied.

Holger

-- 
PGP fingerprint:  F1F0 9071 8084 A426 DD59  9839 59D3 F3A1 B8B5 D3DE
-------------- next part --------------
Index: check_smtp.c
===================================================================
RCS file: /cvsroot/nagiosplug/nagiosplug/plugins/check_smtp.c,v
retrieving revision 1.50
diff -u -r1.50 check_smtp.c
--- check_smtp.c	2 Nov 2005 08:47:26 -0000	1.50
+++ check_smtp.c	3 Nov 2005 03:13:01 -0000
@@ -270,6 +270,35 @@
 		  } else {
 			ssl_established = 1;
 		  }
+
+		/*
+		 * Resend the EHLO command.
+		 *
+		 * RFC 3207 (4.2) says: ``The client MUST discard any knowledge
+		 * obtained from the server, such as the list of SMTP service
+		 * extensions, which was not obtained from the TLS negotiation
+		 * itself.  The client SHOULD send an EHLO command as the first
+		 * command after a successful TLS negotiation.''  For this
+		 * reason, some MTAs will not allow an AUTH LOGIN command before
+		 * we resent EHLO via TLS.
+		 */
+		if (my_send(helocmd, strlen(helocmd)) <= 0) {
+			printf(_("UNKNOWN - Cannot send '%s' command via TLS.\n"), helocmd);
+			np_net_ssl_cleanup(), close(sd);
+			return STATE_UNKNOWN;
+		}
+		if (verbose)
+			printf(_("sent %s"), helocmd);
+		if ((n = my_recv(buffer, MAX_INPUT_BUFFER - 1)) <= 0) {
+			printf(_("UNKNOWN - Cannot read '%s' response via TLS.\n"), helocmd);
+			np_net_ssl_cleanup(), close(sd);
+			return STATE_UNKNOWN;
+		}
+		if (verbose) {
+			buffer[n] = '\0';
+			printf("%s", buffer);
+		}
+
 #  ifdef USE_OPENSSL
 		  if ( check_cert ) {
 		    result = np_net_ssl_check_cert(days_till_exp);


More information about the Devel mailing list