correct STARTTLS syntax for email alerts?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

correct STARTTLS syntax for email alerts?

David Newman
FreeBSD 11.2, monit-5.25.2 compiled from ports with SSL/TLS support

What's the correct syntax for monit to use STARTTLS when sending email
alerts?

Currently monit logs this error:

[PDT Jul 29 16:05:21] error    : Mail: Mailserver response error -- 530
5.7.0 Must issue a STARTTLS command first

Using this configuration in /usr/local/etc/monitrc:

set ssl options {
        version: auto
        verify: enable
        pemfile: /etc/ssl/certs/mail.example.com/everything.pem
}

set mailserver mail.example.com
        port 587
        username "[hidden email]"
        password="wouldnt-you-like-to-know"
        using ssl

check process mailman with pidfile
/usr/local/mailman/data/master-qrunner.pid
        group mailman
        start program = "/usr/local/etc/rc.d/mailman start"
        stop program = "/usr/local/etc/rc.d/mailman stop"
        if 1 restarts within 1 cycles then alert

Thanks!

dn


--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: correct STARTTLS syntax for email alerts?

martinp@tildeslash.com
The configuration looks fine, please can you send Monit log?

Best regards,
Martin


> On 30 Jul 2018, at 01:16, David Newman <[hidden email]> wrote:
>
> FreeBSD 11.2, monit-5.25.2 compiled from ports with SSL/TLS support
>
> What's the correct syntax for monit to use STARTTLS when sending email
> alerts?
>
> Currently monit logs this error:
>
> [PDT Jul 29 16:05:21] error    : Mail: Mailserver response error -- 530
> 5.7.0 Must issue a STARTTLS command first
>
> Using this configuration in /usr/local/etc/monitrc:
>
> set ssl options {
>        version: auto
>        verify: enable
>        pemfile: /etc/ssl/certs/mail.example.com/everything.pem
> }
>
> set mailserver mail.example.com
> port 587
>        username "[hidden email]"
> password="wouldnt-you-like-to-know"
>        using ssl
>
> check process mailman with pidfile
> /usr/local/mailman/data/master-qrunner.pid
>        group mailman
>        start program = "/usr/local/etc/rc.d/mailman start"
>        stop program = "/usr/local/etc/rc.d/mailman stop"
>        if 1 restarts within 1 cycles then alert
>
> Thanks!
>
> dn
>
>
> --
> To unsubscribe:
> https://lists.nongnu.org/mailman/listinfo/monit-general


--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: correct STARTTLS syntax for email alerts?

David Newman
On 7/30/18 10:50 AM, [hidden email] wrote:

> The configuration looks fine, please can you send Monit log?

It's just a lot of entries like this. I deliberately stopped the Mailman
service to try to force an email alert from Monit.

Thanks in advance for any troubleshooting clues.

dn

[PDT Jul 29 16:03:50] info     : Starting Monit 5.25.2 daemon with http
interface at [localhost]:2812
[PDT Jul 29 16:03:50] info     : 'mail8.networktest.com' Monit 5.25.2
started
[PDT Jul 29 16:03:55] error    : 'mailman' service restarted 1 times
within 1 cycles(s) - alert
[PDT Jul 29 16:03:55] error    : Mail: Mailserver response error -- 530
5.7.0 Must issue a STARTTLS command first
[PDT Jul 29 16:03:55] error    : Aborting event
[PDT Jul 29 16:03:55] info     : 'mailman' process is running after
previous restart timeout (manually recovered?)
[PDT Jul 29 16:03:55] error    : Mail: Mailserver response error -- 530
5.7.0 Must issue a STARTTLS command first
[PDT Jul 29 16:03:55] error    : Aborting event
[PDT Jul 29 16:04:30] error    : 'mailman' process is not running
[PDT Jul 29 16:04:30] error    : Mail: Mailserver response error -- 530
5.7.0 Must issue a STARTTLS command first
[PDT Jul 29 16:04:30] error    : Aborting event
[PDT Jul 29 16:04:30] info     : 'mailman' trying to restart
[PDT Jul 29 16:04:30] info     : 'mailman' start:
'/usr/local/etc/rc.d/mailman start'
[PDT Jul 29 16:05:21] error    : 'mailman' service restarted 1 times
within 1 cycles(s) - alert
[PDT Jul 29 16:05:21] error    : Mail: Mailserver response error -- 530
5.7.0 Must issue a STARTTLS command first
[PDT Jul 29 16:05:21] error    : Aborting event
[PDT Jul 29 16:05:21] info     : 'mailman' process is running with pid 18239
[PDT Jul 29 16:05:21] error    : Mail: Mailserver response error -- 530
5.7.0 Must issue a STARTTLS command first
[PDT Jul 29 16:05:21] error    : Aborting event
[PDT Jul 29 16:05:21] info     : 'mailman' process is running after
previous restart timeout (manually recovered?)
[PDT Jul 29 16:05:21] error    : Mail: Mailserver response error -- 530
5.7.0 Must issue a STARTTLS command first
[PDT Jul 29 16:05:21] error    : Aborting event





>
> Best regards,
> Martin
>
>
>> On 30 Jul 2018, at 01:16, David Newman <[hidden email]> wrote:
>>
>> FreeBSD 11.2, monit-5.25.2 compiled from ports with SSL/TLS support
>>
>> What's the correct syntax for monit to use STARTTLS when sending email
>> alerts?
>>
>> Currently monit logs this error:
>>
>> [PDT Jul 29 16:05:21] error    : Mail: Mailserver response error -- 530
>> 5.7.0 Must issue a STARTTLS command first
>>
>> Using this configuration in /usr/local/etc/monitrc:
>>
>> set ssl options {
>>        version: auto
>>        verify: enable
>>        pemfile: /etc/ssl/certs/mail.example.com/everything.pem
>> }
>>
>> set mailserver mail.example.com
>> port 587
>>        username "[hidden email]"
>> password="wouldnt-you-like-to-know"
>>        using ssl
>>
>> check process mailman with pidfile
>> /usr/local/mailman/data/master-qrunner.pid
>>        group mailman
>>        start program = "/usr/local/etc/rc.d/mailman start"
>>        stop program = "/usr/local/etc/rc.d/mailman stop"
>>        if 1 restarts within 1 cycles then alert
>>
>> Thanks!
>>
>> dn
>>

--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: correct STARTTLS syntax for email alerts?

martinp@tildeslash.com
Thanks for data.

I tried to reproduce the problem with the following configuration and it seems to work correctly:

set mailserver mail8.networktest.com port 587
        username "test" password "123456"
        using tls

I get "Mail: Mailserver response error -- 535 5.7.8 Error: authentication failed" but that is expected (i didn't use real credentials). The credentials are send by monit past the STARTTLS command and the server didn't indicate the STARTLS error.

Please can you verify you monit is compiled with SSL?:

        monit -V




> On 30 Jul 2018, at 20:53, David Newman <[hidden email]> wrote:
>
> On 7/30/18 10:50 AM, [hidden email] wrote:
>
>> The configuration looks fine, please can you send Monit log?
>
> It's just a lot of entries like this. I deliberately stopped the Mailman
> service to try to force an email alert from Monit.
>
> Thanks in advance for any troubleshooting clues.
>
> dn
>
> [PDT Jul 29 16:03:50] info     : Starting Monit 5.25.2 daemon with http
> interface at [localhost]:2812
> [PDT Jul 29 16:03:50] info     : 'mail8.networktest.com' Monit 5.25.2
> started
> [PDT Jul 29 16:03:55] error    : 'mailman' service restarted 1 times
> within 1 cycles(s) - alert
> [PDT Jul 29 16:03:55] error    : Mail: Mailserver response error -- 530
> 5.7.0 Must issue a STARTTLS command first
> [PDT Jul 29 16:03:55] error    : Aborting event
> [PDT Jul 29 16:03:55] info     : 'mailman' process is running after
> previous restart timeout (manually recovered?)
> [PDT Jul 29 16:03:55] error    : Mail: Mailserver response error -- 530
> 5.7.0 Must issue a STARTTLS command first
> [PDT Jul 29 16:03:55] error    : Aborting event
> [PDT Jul 29 16:04:30] error    : 'mailman' process is not running
> [PDT Jul 29 16:04:30] error    : Mail: Mailserver response error -- 530
> 5.7.0 Must issue a STARTTLS command first
> [PDT Jul 29 16:04:30] error    : Aborting event
> [PDT Jul 29 16:04:30] info     : 'mailman' trying to restart
> [PDT Jul 29 16:04:30] info     : 'mailman' start:
> '/usr/local/etc/rc.d/mailman start'
> [PDT Jul 29 16:05:21] error    : 'mailman' service restarted 1 times
> within 1 cycles(s) - alert
> [PDT Jul 29 16:05:21] error    : Mail: Mailserver response error -- 530
> 5.7.0 Must issue a STARTTLS command first
> [PDT Jul 29 16:05:21] error    : Aborting event
> [PDT Jul 29 16:05:21] info     : 'mailman' process is running with pid 18239
> [PDT Jul 29 16:05:21] error    : Mail: Mailserver response error -- 530
> 5.7.0 Must issue a STARTTLS command first
> [PDT Jul 29 16:05:21] error    : Aborting event
> [PDT Jul 29 16:05:21] info     : 'mailman' process is running after
> previous restart timeout (manually recovered?)
> [PDT Jul 29 16:05:21] error    : Mail: Mailserver response error -- 530
> 5.7.0 Must issue a STARTTLS command first
> [PDT Jul 29 16:05:21] error    : Aborting event
>
>
>
>
>
>>
>> Best regards,
>> Martin
>>
>>
>>> On 30 Jul 2018, at 01:16, David Newman <[hidden email]> wrote:
>>>
>>> FreeBSD 11.2, monit-5.25.2 compiled from ports with SSL/TLS support
>>>
>>> What's the correct syntax for monit to use STARTTLS when sending email
>>> alerts?
>>>
>>> Currently monit logs this error:
>>>
>>> [PDT Jul 29 16:05:21] error    : Mail: Mailserver response error -- 530
>>> 5.7.0 Must issue a STARTTLS command first
>>>
>>> Using this configuration in /usr/local/etc/monitrc:
>>>
>>> set ssl options {
>>>       version: auto
>>>       verify: enable
>>>       pemfile: /etc/ssl/certs/mail.example.com/everything.pem
>>> }
>>>
>>> set mailserver mail.example.com
>>> port 587
>>>       username "[hidden email]"
>>> password="wouldnt-you-like-to-know"
>>>       using ssl
>>>
>>> check process mailman with pidfile
>>> /usr/local/mailman/data/master-qrunner.pid
>>>       group mailman
>>>       start program = "/usr/local/etc/rc.d/mailman start"
>>>       stop program = "/usr/local/etc/rc.d/mailman stop"
>>>       if 1 restarts within 1 cycles then alert
>>>
>>> Thanks!
>>>
>>> dn
>>>
>
> --
> To unsubscribe:
> https://lists.nongnu.org/mailman/listinfo/monit-general


--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: correct STARTTLS syntax for email alerts?

David Newman
On 7/30/18 12:05 PM, [hidden email] wrote:

> Thanks for data.
>
> I tried to reproduce the problem with the following configuration and it seems to work correctly:
>
> set mailserver mail8.networktest.com port 587
>         username "test" password "123456"
>         using tls
>
> I get "Mail: Mailserver response error -- 535 5.7.8 Error: authentication failed" but that is expected (i didn't use real credentials). The credentials are send by monit past the STARTTLS command and the server didn't indicate the STARTLS error.
>
> Please can you verify you monit is compiled with SSL?:
>
> monit -V

Yes, it appears to be:

This is Monit version 5.25.2
Built with ssl, with ipv6, with compression, with pam and with large files
Copyright (C) 2001-2018 Tildeslash Ltd. All Rights Reserved.
dh

This is on FreeBSD 11.2-RELEASE, compiled from ports.

One delta between our configs, if it matters, is that your has 'set tls'
instead of 'set ssl' in the 'set mailserver' definition. I don't think
that's significant, as I changed mine, restarted monit, and saw the same
STARTTLS error as before. I also tried commenting out the 'pemfile:'
line in the 'set ssl' definition but that also had no effect.

An openssl STARTTLS handshake works OK from this server's command line.
Output below.

Anything else I need to check in the monit config?

Thanks

dn


$ openssl s_client -connect mail8.networktest.com:587 -starttls smtp
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = mail8.networktest.com
verify return:1
---
Certificate chain
 0 s:/CN=mail8.networktest.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIIjTCCB3WgAwIBAgISBN1aemqlVTdUmOJrX9BC59GGMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA2MDExMDAyMDRaFw0x
ODA4MzAxMDAyMDRaMCAxHjAcBgNVBAMTFW1haWw4Lm5ldHdvcmt0ZXN0LmNvbTCC
AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOI+gmM93ItcpEKZ34Ent14i
Qd5rZ8bQFVJipwdxxkIgKWpUz6AJy4kaO0IIEDSquk7GTTpTFVsEcO+OVFDoE6Sg
qo9S/oe7z1iOW6XVfoQb0PNp5yFdmTVP/fpYydxcZL34QDlP1+O1TRY0hTK6aOaq
QkKnHrfFLiaKcLePKFcEPZgZW3aDPT3u3E38A9YFsOKaCQStZJxziV1QiaD4WlcJ
qZWLfYSMR2DB7xMsSF+NXwItk9+fEl3yYDt3EwCXBWxE8lITUp5dq/bj03WhWpGe
XD/e2WX0OUHClz1OH/NghnbMuBnL3jqEG/NXLKREqdDNdCfTA5krZZmNbuYx0qmR
aosBLiteQf8XurK8wvg6jGxdrqZ0DudYPOADxRilHi27qse74OIoGJO6xxvrpzQt
AZBvOIS6jM8MPrX1RdSE83LUqIzzAormy91Pb4gmSXvVywyoR5yqBiX3bmskzJdX
BABsQ/vC8JYyszLpikZz4cYMfjpI15JwofaKIXeScwDR3rjXLcrmxk92J6dI3E1Y
0zaHaXb45ltUvT6mVqudWYNop/JAyxAcrH5pZ4TdUfeJjQDn5+H5p9EfXx8Q3eXE
JdjRKmNIFjQvD9K3dNPi1QEkS8skv2t9LT5LydztovNvo9IpLsFBC92nFIPBpiHo
Q/FOt/GOvEn05X4NROLLAgMBAAGjggSVMIIEkTAOBgNVHQ8BAf8EBAMCBaAwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0O
BBYEFLf08/9lmzsV+4SHI1UoJXPMnstCMB8GA1UdIwQYMBaAFKhKamMEfd265tE5
t6ZFZe/zqOyhMG8GCCsGAQUFBwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29j
c3AuaW50LXgzLmxldHNlbmNyeXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2Nl
cnQuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8wggGVBgNVHREEggGMMIIBiIIVbGlz
dHMubmV0d29ya3Rlc3QuY29tghNsaXN0cy5wb3RyemViaWUub3JnghFsaXN0cy5z
dWN0ZXN0LmNvbYIVbWFpbC5hdWRpb2FsY2hlbXkuY29tghBtYWlsLmN2Y2Jpa2Uu
b3JnghptYWlsLmRhdmlkcm9iZXJ0bmV3bWFuLmNvbYISbWFpbC5kcm5zdHVkaW8u
Y29tghRtYWlsLm5ldHdvcmt0ZXN0LmNvbYISbWFpbC5wb3RyemViaWUub3JnghRt
YWlsLnJob2RhbmV3bWFuLmNvbYIQbWFpbC5zdWN0ZXN0LmNvbYIbbWFpbDguZGF2
aWRyb2JlcnRuZXdtYW4uY29tghNtYWlsOC5kcm5zdHVkaW8uY29tghVtYWlsOC5u
ZXR3b3JrdGVzdC5jb22CDXBvdHJ6ZWJpZS5vcmeCD3Job2RhbmV3bWFuLmNvbYIL
c3VjdGVzdC5jb22CEXd3dy5wb3RyemViaWUub3JnghN3d3cucmhvZGFuZXdtYW4u
Y29tMIH+BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAm
BggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUF
BwICMIGeDIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBv
biBieSBSZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRo
IHRoZSBDZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5j
cnlwdC5vcmcvcmVwb3NpdG9yeS8wggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwBV
gdTCFpA2AUrqC5tXPFPwwOQ4eHAlCBcvo6odBxPTDAAAAWO7AvuFAAAEAwBIMEYC
IQCbBw/2BWR+xvgQ3WUN949WNukh7cmkDTeRqJSgg3IQJgIhAO1iZUE5p76zLUKt
Z4zrzlxXw8PB+Zm3CXSnT8QQ4FgYAHYAKTxRllTIOWW6qlD8WAfUt2+/WHopctyk
wwz05UVH9HgAAAFjuwL7bwAABAMARzBFAiBRXgaSL3v6oIDvoj+aYaNvo9O3DRG5
S8mO6DRVvmIAOAIhANQUcfkm5nZL/ljt5cf5xEI1OKwIcg8o78+eEDbfCDiBMA0G
CSqGSIb3DQEBCwUAA4IBAQBWjkVpac9UgOfvrvJ1QjT50VbMY1P9diJ1pdIoDPcH
4EuEq8T8oswQ8ONxqWgCLr6tUjFWf6k3LUIZ/iAPAIf7TzlXnljrdBbOvT/9yil5
TmFUEHZUC/ES6P8PPlFHbdh4Rs/eftI6DpL7WjKnxlkofHGvHr6mwhQ48CiSL6+T
PEU0kAeZZqQteSe6s9eIlQKs7aYATzwAyjIGKQ0GrUPHSyRljShR+3vY6hHWRqwW
t2cm28RtQKWRx3aNy3SjYxDlWPLGsU4udinpVx69IB1dbQTwSnI1X63TEi61/2t5
NrAedbouYI8e+vH5q0/dXM8k3p9WTAEjZZUOxzxvvbpd
-----END CERTIFICATE-----
subject=/CN=mail8.networktest.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4504 bytes and written 468 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:
0ACB792CC4FBE288FA99928EFED5091F9814FB55965D09D4805DBA3555405DE9
    Session-ID-ctx:
    Master-Key:
87E9DD57D5377D03140DE2867C90B784490DEEC53964486943C60A6CC58DCFB5DB9B642446B331925145D6CBA771E308
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 93 c6 c5 5c 96 10 6d 21-29 4d c2 b5 ff cc bd 6e
...\..m!)M.....n
    0010 - f8 47 c6 6a 57 dc 70 82-2b 2f 26 67 08 13 4e dd
.G.jW.p.+/&g..N.
    0020 - cf 94 0c d8 63 f9 3a 18-54 19 0c 19 bd 90 a8 7e
....c.:.T......~
    0030 - 94 01 1a 4b 1b e1 a8 da-6f 0d 9e c4 05 68 ac 0a
...K....o....h..
    0040 - d7 7a c1 60 50 60 e4 51-ff 73 d4 33 0b 8b dc 97
.z.`P`.Q.s.3....
    0050 - aa 8f 0f 52 34 54 3b 1d-8d 92 7c 32 34 58 04 aa
...R4T;...|24X..
    0060 - a3 92 eb 7b 9c a6 6b 98-ce 37 f2 67 e9 39 4a 3d
...{..k..7.g.9J=
    0070 - 28 4d 83 8b 7c 8f 48 af-0b 0a a1 67 0a cd 39 19
(M..|.H....g..9.
    0080 - 4c e2 f4 18 87 72 7d c3-5e 79 7a 2e 11 e0 2e eb
L....r}.^yz.....
    0090 - a7 bb 18 ba fe 90 18 5f-2b 2e 66 e3 84 b6 d1 81
......._+.f.....

    Start Time: 1532984690
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
250 SMTPUTF8




>
>
>
>
>> On 30 Jul 2018, at 20:53, David Newman <[hidden email]> wrote:
>>
>> On 7/30/18 10:50 AM, [hidden email] wrote:
>>
>>> The configuration looks fine, please can you send Monit log?
>>
>> It's just a lot of entries like this. I deliberately stopped the Mailman
>> service to try to force an email alert from Monit.
>>
>> Thanks in advance for any troubleshooting clues.
>>
>> dn
>>
>> [PDT Jul 29 16:03:50] info     : Starting Monit 5.25.2 daemon with http
>> interface at [localhost]:2812
>> [PDT Jul 29 16:03:50] info     : 'mail8.networktest.com' Monit 5.25.2
>> started
>> [PDT Jul 29 16:03:55] error    : 'mailman' service restarted 1 times
>> within 1 cycles(s) - alert
>> [PDT Jul 29 16:03:55] error    : Mail: Mailserver response error -- 530
>> 5.7.0 Must issue a STARTTLS command first
>> [PDT Jul 29 16:03:55] error    : Aborting event
>> [PDT Jul 29 16:03:55] info     : 'mailman' process is running after
>> previous restart timeout (manually recovered?)
>> [PDT Jul 29 16:03:55] error    : Mail: Mailserver response error -- 530
>> 5.7.0 Must issue a STARTTLS command first
>> [PDT Jul 29 16:03:55] error    : Aborting event
>> [PDT Jul 29 16:04:30] error    : 'mailman' process is not running
>> [PDT Jul 29 16:04:30] error    : Mail: Mailserver response error -- 530
>> 5.7.0 Must issue a STARTTLS command first
>> [PDT Jul 29 16:04:30] error    : Aborting event
>> [PDT Jul 29 16:04:30] info     : 'mailman' trying to restart
>> [PDT Jul 29 16:04:30] info     : 'mailman' start:
>> '/usr/local/etc/rc.d/mailman start'
>> [PDT Jul 29 16:05:21] error    : 'mailman' service restarted 1 times
>> within 1 cycles(s) - alert
>> [PDT Jul 29 16:05:21] error    : Mail: Mailserver response error -- 530
>> 5.7.0 Must issue a STARTTLS command first
>> [PDT Jul 29 16:05:21] error    : Aborting event
>> [PDT Jul 29 16:05:21] info     : 'mailman' process is running with pid 18239
>> [PDT Jul 29 16:05:21] error    : Mail: Mailserver response error -- 530
>> 5.7.0 Must issue a STARTTLS command first
>> [PDT Jul 29 16:05:21] error    : Aborting event
>> [PDT Jul 29 16:05:21] info     : 'mailman' process is running after
>> previous restart timeout (manually recovered?)
>> [PDT Jul 29 16:05:21] error    : Mail: Mailserver response error -- 530
>> 5.7.0 Must issue a STARTTLS command first
>> [PDT Jul 29 16:05:21] error    : Aborting event
>>
>>
>>
>>
>>
>>>
>>> Best regards,
>>> Martin
>>>
>>>
>>>> On 30 Jul 2018, at 01:16, David Newman <[hidden email]> wrote:
>>>>
>>>> FreeBSD 11.2, monit-5.25.2 compiled from ports with SSL/TLS support
>>>>
>>>> What's the correct syntax for monit to use STARTTLS when sending email
>>>> alerts?
>>>>
>>>> Currently monit logs this error:
>>>>
>>>> [PDT Jul 29 16:05:21] error    : Mail: Mailserver response error -- 530
>>>> 5.7.0 Must issue a STARTTLS command first
>>>>
>>>> Using this configuration in /usr/local/etc/monitrc:
>>>>
>>>> set ssl options {
>>>>       version: auto
>>>>       verify: enable
>>>>       pemfile: /etc/ssl/certs/mail.example.com/everything.pem
>>>> }
>>>>
>>>> set mailserver mail.example.com
>>>> port 587
>>>>       username "[hidden email]"
>>>> password="wouldnt-you-like-to-know"
>>>>       using ssl
>>>>
>>>> check process mailman with pidfile
>>>> /usr/local/mailman/data/master-qrunner.pid
>>>>       group mailman
>>>>       start program = "/usr/local/etc/rc.d/mailman start"
>>>>       stop program = "/usr/local/etc/rc.d/mailman stop"
>>>>       if 1 restarts within 1 cycles then alert
>>>>
>>>> Thanks!
>>>>
>>>> dn
>>>>

--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: correct STARTTLS syntax for email alerts?

martinp@tildeslash.com
Yes, the "using TLS" and "using SSL" do the same (enable encryption) ... we have switched to "TLS" keyword to prevent confusion as the original SSLv[23] protocols are no longer safe and are disabled by default. The "SSL" keyword is still supported for backward compatibility.

Please can you get a network trace of the communication between monit and your mailserver on port 587 (for example using wireshark) and send it to [hidden email]?


> On 30 Jul 2018, at 23:08, David Newman <[hidden email]> wrote:
>
> On 7/30/18 12:05 PM, [hidden email] wrote:
>> Thanks for data.
>>
>> I tried to reproduce the problem with the following configuration and it seems to work correctly:
>>
>> set mailserver mail8.networktest.com port 587
>>        username "test" password "123456"
>>        using tls
>>
>> I get "Mail: Mailserver response error -- 535 5.7.8 Error: authentication failed" but that is expected (i didn't use real credentials). The credentials are send by monit past the STARTTLS command and the server didn't indicate the STARTLS error.
>>
>> Please can you verify you monit is compiled with SSL?:
>>
>> monit -V
>
> Yes, it appears to be:
>
> This is Monit version 5.25.2
> Built with ssl, with ipv6, with compression, with pam and with large files
> Copyright (C) 2001-2018 Tildeslash Ltd. All Rights Reserved.
> dh
>
> This is on FreeBSD 11.2-RELEASE, compiled from ports.
>
> One delta between our configs, if it matters, is that your has 'set tls'
> instead of 'set ssl' in the 'set mailserver' definition. I don't think
> that's significant, as I changed mine, restarted monit, and saw the same
> STARTTLS error as before. I also tried commenting out the 'pemfile:'
> line in the 'set ssl' definition but that also had no effect.
>
> An openssl STARTTLS handshake works OK from this server's command line.
> Output below.
>
> Anything else I need to check in the monit config?
>
> Thanks
>
> dn
>
>
> $ openssl s_client -connect mail8.networktest.com:587 -starttls smtp
> CONNECTED(00000003)
> depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> verify return:1
> depth=0 CN = mail8.networktest.com
> verify return:1
> ---
> Certificate chain
> 0 s:/CN=mail8.networktest.com
>   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIIjTCCB3WgAwIBAgISBN1aemqlVTdUmOJrX9BC59GGMA0GCSqGSIb3DQEBCwUA
> MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
> ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA2MDExMDAyMDRaFw0x
> ODA4MzAxMDAyMDRaMCAxHjAcBgNVBAMTFW1haWw4Lm5ldHdvcmt0ZXN0LmNvbTCC
> AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOI+gmM93ItcpEKZ34Ent14i
> Qd5rZ8bQFVJipwdxxkIgKWpUz6AJy4kaO0IIEDSquk7GTTpTFVsEcO+OVFDoE6Sg
> qo9S/oe7z1iOW6XVfoQb0PNp5yFdmTVP/fpYydxcZL34QDlP1+O1TRY0hTK6aOaq
> QkKnHrfFLiaKcLePKFcEPZgZW3aDPT3u3E38A9YFsOKaCQStZJxziV1QiaD4WlcJ
> qZWLfYSMR2DB7xMsSF+NXwItk9+fEl3yYDt3EwCXBWxE8lITUp5dq/bj03WhWpGe
> XD/e2WX0OUHClz1OH/NghnbMuBnL3jqEG/NXLKREqdDNdCfTA5krZZmNbuYx0qmR
> aosBLiteQf8XurK8wvg6jGxdrqZ0DudYPOADxRilHi27qse74OIoGJO6xxvrpzQt
> AZBvOIS6jM8MPrX1RdSE83LUqIzzAormy91Pb4gmSXvVywyoR5yqBiX3bmskzJdX
> BABsQ/vC8JYyszLpikZz4cYMfjpI15JwofaKIXeScwDR3rjXLcrmxk92J6dI3E1Y
> 0zaHaXb45ltUvT6mVqudWYNop/JAyxAcrH5pZ4TdUfeJjQDn5+H5p9EfXx8Q3eXE
> JdjRKmNIFjQvD9K3dNPi1QEkS8skv2t9LT5LydztovNvo9IpLsFBC92nFIPBpiHo
> Q/FOt/GOvEn05X4NROLLAgMBAAGjggSVMIIEkTAOBgNVHQ8BAf8EBAMCBaAwHQYD
> VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0O
> BBYEFLf08/9lmzsV+4SHI1UoJXPMnstCMB8GA1UdIwQYMBaAFKhKamMEfd265tE5
> t6ZFZe/zqOyhMG8GCCsGAQUFBwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29j
> c3AuaW50LXgzLmxldHNlbmNyeXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2Nl
> cnQuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8wggGVBgNVHREEggGMMIIBiIIVbGlz
> dHMubmV0d29ya3Rlc3QuY29tghNsaXN0cy5wb3RyemViaWUub3JnghFsaXN0cy5z
> dWN0ZXN0LmNvbYIVbWFpbC5hdWRpb2FsY2hlbXkuY29tghBtYWlsLmN2Y2Jpa2Uu
> b3JnghptYWlsLmRhdmlkcm9iZXJ0bmV3bWFuLmNvbYISbWFpbC5kcm5zdHVkaW8u
> Y29tghRtYWlsLm5ldHdvcmt0ZXN0LmNvbYISbWFpbC5wb3RyemViaWUub3JnghRt
> YWlsLnJob2RhbmV3bWFuLmNvbYIQbWFpbC5zdWN0ZXN0LmNvbYIbbWFpbDguZGF2
> aWRyb2JlcnRuZXdtYW4uY29tghNtYWlsOC5kcm5zdHVkaW8uY29tghVtYWlsOC5u
> ZXR3b3JrdGVzdC5jb22CDXBvdHJ6ZWJpZS5vcmeCD3Job2RhbmV3bWFuLmNvbYIL
> c3VjdGVzdC5jb22CEXd3dy5wb3RyemViaWUub3JnghN3d3cucmhvZGFuZXdtYW4u
> Y29tMIH+BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAm
> BggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUF
> BwICMIGeDIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBv
> biBieSBSZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRo
> IHRoZSBDZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5j
> cnlwdC5vcmcvcmVwb3NpdG9yeS8wggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwBV
> gdTCFpA2AUrqC5tXPFPwwOQ4eHAlCBcvo6odBxPTDAAAAWO7AvuFAAAEAwBIMEYC
> IQCbBw/2BWR+xvgQ3WUN949WNukh7cmkDTeRqJSgg3IQJgIhAO1iZUE5p76zLUKt
> Z4zrzlxXw8PB+Zm3CXSnT8QQ4FgYAHYAKTxRllTIOWW6qlD8WAfUt2+/WHopctyk
> wwz05UVH9HgAAAFjuwL7bwAABAMARzBFAiBRXgaSL3v6oIDvoj+aYaNvo9O3DRG5
> S8mO6DRVvmIAOAIhANQUcfkm5nZL/ljt5cf5xEI1OKwIcg8o78+eEDbfCDiBMA0G
> CSqGSIb3DQEBCwUAA4IBAQBWjkVpac9UgOfvrvJ1QjT50VbMY1P9diJ1pdIoDPcH
> 4EuEq8T8oswQ8ONxqWgCLr6tUjFWf6k3LUIZ/iAPAIf7TzlXnljrdBbOvT/9yil5
> TmFUEHZUC/ES6P8PPlFHbdh4Rs/eftI6DpL7WjKnxlkofHGvHr6mwhQ48CiSL6+T
> PEU0kAeZZqQteSe6s9eIlQKs7aYATzwAyjIGKQ0GrUPHSyRljShR+3vY6hHWRqwW
> t2cm28RtQKWRx3aNy3SjYxDlWPLGsU4udinpVx69IB1dbQTwSnI1X63TEi61/2t5
> NrAedbouYI8e+vH5q0/dXM8k3p9WTAEjZZUOxzxvvbpd
> -----END CERTIFICATE-----
> subject=/CN=mail8.networktest.com
> issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> ---
> No client certificate CA names sent
> Peer signing digest: SHA512
> Server Temp Key: ECDH, P-256, 256 bits
> ---
> SSL handshake has read 4504 bytes and written 468 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 4096 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
>    Protocol  : TLSv1.2
>    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>    Session-ID:
> 0ACB792CC4FBE288FA99928EFED5091F9814FB55965D09D4805DBA3555405DE9
>    Session-ID-ctx:
>    Master-Key:
> 87E9DD57D5377D03140DE2867C90B784490DEEC53964486943C60A6CC58DCFB5DB9B642446B331925145D6CBA771E308
>    Key-Arg   : None
>    PSK identity: None
>    PSK identity hint: None
>    SRP username: None
>    TLS session ticket lifetime hint: 7200 (seconds)
>    TLS session ticket:
>    0000 - 93 c6 c5 5c 96 10 6d 21-29 4d c2 b5 ff cc bd 6e
> ...\..m!)M.....n
>    0010 - f8 47 c6 6a 57 dc 70 82-2b 2f 26 67 08 13 4e dd
> .G.jW.p.+/&g..N.
>    0020 - cf 94 0c d8 63 f9 3a 18-54 19 0c 19 bd 90 a8 7e
> ....c.:.T......~
>    0030 - 94 01 1a 4b 1b e1 a8 da-6f 0d 9e c4 05 68 ac 0a
> ...K....o....h..
>    0040 - d7 7a c1 60 50 60 e4 51-ff 73 d4 33 0b 8b dc 97
> .z.`P`.Q.s.3....
>    0050 - aa 8f 0f 52 34 54 3b 1d-8d 92 7c 32 34 58 04 aa
> ...R4T;...|24X..
>    0060 - a3 92 eb 7b 9c a6 6b 98-ce 37 f2 67 e9 39 4a 3d
> ...{..k..7.g.9J=
>    0070 - 28 4d 83 8b 7c 8f 48 af-0b 0a a1 67 0a cd 39 19
> (M..|.H....g..9.
>    0080 - 4c e2 f4 18 87 72 7d c3-5e 79 7a 2e 11 e0 2e eb
> L....r}.^yz.....
>    0090 - a7 bb 18 ba fe 90 18 5f-2b 2e 66 e3 84 b6 d1 81
> ......._+.f.....
>
>    Start Time: 1532984690
>    Timeout   : 300 (sec)
>    Verify return code: 0 (ok)
> ---
> 250 SMTPUTF8
>
>
>
>
>>
>>
>>
>>
>>> On 30 Jul 2018, at 20:53, David Newman <[hidden email]> wrote:
>>>
>>> On 7/30/18 10:50 AM, [hidden email] wrote:
>>>
>>>> The configuration looks fine, please can you send Monit log?
>>>
>>> It's just a lot of entries like this. I deliberately stopped the Mailman
>>> service to try to force an email alert from Monit.
>>>
>>> Thanks in advance for any troubleshooting clues.
>>>
>>> dn
>>>
>>> [PDT Jul 29 16:03:50] info     : Starting Monit 5.25.2 daemon with http
>>> interface at [localhost]:2812
>>> [PDT Jul 29 16:03:50] info     : 'mail8.networktest.com' Monit 5.25.2
>>> started
>>> [PDT Jul 29 16:03:55] error    : 'mailman' service restarted 1 times
>>> within 1 cycles(s) - alert
>>> [PDT Jul 29 16:03:55] error    : Mail: Mailserver response error -- 530
>>> 5.7.0 Must issue a STARTTLS command first
>>> [PDT Jul 29 16:03:55] error    : Aborting event
>>> [PDT Jul 29 16:03:55] info     : 'mailman' process is running after
>>> previous restart timeout (manually recovered?)
>>> [PDT Jul 29 16:03:55] error    : Mail: Mailserver response error -- 530
>>> 5.7.0 Must issue a STARTTLS command first
>>> [PDT Jul 29 16:03:55] error    : Aborting event
>>> [PDT Jul 29 16:04:30] error    : 'mailman' process is not running
>>> [PDT Jul 29 16:04:30] error    : Mail: Mailserver response error -- 530
>>> 5.7.0 Must issue a STARTTLS command first
>>> [PDT Jul 29 16:04:30] error    : Aborting event
>>> [PDT Jul 29 16:04:30] info     : 'mailman' trying to restart
>>> [PDT Jul 29 16:04:30] info     : 'mailman' start:
>>> '/usr/local/etc/rc.d/mailman start'
>>> [PDT Jul 29 16:05:21] error    : 'mailman' service restarted 1 times
>>> within 1 cycles(s) - alert
>>> [PDT Jul 29 16:05:21] error    : Mail: Mailserver response error -- 530
>>> 5.7.0 Must issue a STARTTLS command first
>>> [PDT Jul 29 16:05:21] error    : Aborting event
>>> [PDT Jul 29 16:05:21] info     : 'mailman' process is running with pid 18239
>>> [PDT Jul 29 16:05:21] error    : Mail: Mailserver response error -- 530
>>> 5.7.0 Must issue a STARTTLS command first
>>> [PDT Jul 29 16:05:21] error    : Aborting event
>>> [PDT Jul 29 16:05:21] info     : 'mailman' process is running after
>>> previous restart timeout (manually recovered?)
>>> [PDT Jul 29 16:05:21] error    : Mail: Mailserver response error -- 530
>>> 5.7.0 Must issue a STARTTLS command first
>>> [PDT Jul 29 16:05:21] error    : Aborting event
>>>
>>>
>>>
>>>
>>>
>>>>
>>>> Best regards,
>>>> Martin
>>>>
>>>>
>>>>> On 30 Jul 2018, at 01:16, David Newman <[hidden email]> wrote:
>>>>>
>>>>> FreeBSD 11.2, monit-5.25.2 compiled from ports with SSL/TLS support
>>>>>
>>>>> What's the correct syntax for monit to use STARTTLS when sending email
>>>>> alerts?
>>>>>
>>>>> Currently monit logs this error:
>>>>>
>>>>> [PDT Jul 29 16:05:21] error    : Mail: Mailserver response error -- 530
>>>>> 5.7.0 Must issue a STARTTLS command first
>>>>>
>>>>> Using this configuration in /usr/local/etc/monitrc:
>>>>>
>>>>> set ssl options {
>>>>>      version: auto
>>>>>      verify: enable
>>>>>      pemfile: /etc/ssl/certs/mail.example.com/everything.pem
>>>>> }
>>>>>
>>>>> set mailserver mail.example.com
>>>>> port 587
>>>>>      username "[hidden email]"
>>>>> password="wouldnt-you-like-to-know"
>>>>>      using ssl
>>>>>
>>>>> check process mailman with pidfile
>>>>> /usr/local/mailman/data/master-qrunner.pid
>>>>>      group mailman
>>>>>      start program = "/usr/local/etc/rc.d/mailman start"
>>>>>      stop program = "/usr/local/etc/rc.d/mailman stop"
>>>>>      if 1 restarts within 1 cycles then alert
>>>>>
>>>>> Thanks!
>>>>>
>>>>> dn
>>>>>
>
> --
> To unsubscribe:
> https://lists.nongnu.org/mailman/listinfo/monit-general


--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general