HomeNagiosNagios Test For SMTP SSL

Nagios Test For SMTP SSL

Software Effect Enterprises, Inc Posted on by

I wanted to make sure the certificate was working correctly on my mail servers. After a bit of digging around I found the following:

Create a file named /usr/lib64/nagios/plugins/check_mail_ssl

#!/bin/bash
## Usage example: ./check_ssl_cert_expiry -h  -p  -w 90 -c 60
## -h = mail server domain or IP
## -p = mail server port: 995/25/993
## -w = integer number (Warning days)
## -c = integer number (Critical days)
#
# Requirement : bc command should be installed.
#

HOST=""
PORT=""
WARN_DAYS=""
CRIT_DAYS=""

printHelp () {
	echo "Usage: ${0} -h  -p  -w  -c "
	exit 0
}

while getopts "h:p:w:c:" options
do
	case $options in
		h ) HOST=$OPTARG;;
		p ) PORT=$OPTARG;;
		w ) WARN_DAYS=$OPTARG;;
		c ) CRIT_DAYS=$OPTARG;;
	esac
done

if [ ! "$HOST" ]
then
	echo "ERROR: No mail server host domain or IP specified."
	printHelp
	exit 3
fi

if [ ! "$PORT" ]
then
	echo "ERROR: No mail server port specified."
	printHelp
	exit 3
fi

if [ ! "$WARN_DAYS" ]
then
	echo "ERROR: No certificate warning days specified."
	printHelp
	exit 3
fi

if [ ! "$CRIT_DAYS" ]
then
	echo "ERROR: No certificate critical days specified."
	printHelp
	exit 3
fi
##
if [ "$PORT" -eq 25 ] || [ "$PORT" -eq 587 ] || [ "$PORT" -eq 2525 ]; then
	EXPIRY_DATE=`echo "EXIT" | openssl s_client -starttls smtp -showcerts -connect $HOST:$PORT -servername $HOST 2>/dev/null | openssl x509 -enddate -noout | awk -F '=' '{print $NF}'`
elif [ "$PORT" -eq 110 ]; then
	EXPIRY_DATE=`echo "EXIT" | openssl s_client -starttls pop3 -showcerts -connect $HOST:$PORT -servername $HOST 2>/dev/null | openssl x509 -enddate -noout | awk -F '=' '{print $NF}'`
elif [ "$PORT" -eq 143 ]; then
	EXPIRY_DATE=`echo "EXIT" | openssl s_client -starttls imap -showcerts -connect $HOST:$PORT -servername $HOST 2>/dev/null | openssl x509 -enddate -noout | awk -F '=' '{print $NF}'`
else
	EXPIRY_DATE=`echo "EXIT" | openssl s_client -showcerts -connect $HOST:$PORT -servername $HOST 2>/dev/null | openssl x509 -enddate -noout | awk -F '=' '{print $NF}'`
fi
##
if [ "$PORT" -eq 25 ] || [ "$PORT" -eq 587 ] || [ "$PORT" -eq 2525 ] || [ "$PORT" -eq 465 ]; then
	SVC="SMTP"
elif [ "$PORT" -eq 143 ] || [ "$PORT" -eq 993 ]; then
	SVC="IMAP"
elif [ "$PORT" -eq 110 ] || [ "$PORT" -eq 995 ]; then
	SVC="POP3"
fi
##
EXPIRY_DATE_SEC=`date -d "$EXPIRY_DATE" "+%s"`
CURRENT_DATE_SEC=`date "+%s"`
EXPIRY_DAYS=`echo "($EXPIRY_DATE_SEC - $CURRENT_DATE_SEC)/(86400)" | bc`

if [ "$EXPIRY_DAYS" -gt "$WARN_DAYS" ]; then
    echo "SSL OK: Mail server, $HOST, $SVC certificate will expire on $EXPIRY_DATE, $EXPIRY_DAYS days left."
    exit 0;
elif [ "$EXPIRY_DAYS" -le "$WARN_DAYS" ] && [ "$EXPIRY_DAYS" -ge "$CRIT_DAYS" ]; then
    echo "SSL WARNING: Mail server, $HOST, $SVC certificate will expire on $EXPIRY_DATE, $EXPIRY_DAYS days left."
    exit 1;
elif [ "$EXPIRY_DAYS" -lt "$CRIT_DAYS" ] && [ "$CRIT_DAYS" -ge "1" ]; then
    echo "SSL CRITICAL: Mail server, $HOST, $SVC certificate will expire on $EXPIRY_DATE, $EXPIRY_DAYS days left."
    exit 2;
elif [ "$EXPIRY_DAYS" -lt "$CRIT_DAYS" ] && [ "$CRIT_DAYS" -lt "1" ]; then
    echo "SSL CRITICAL: Mail server, $HOST, $SVC certificate expired on $EXPIRY_DATE."
    exit 2;
fi

set the permissions –

chmod 755  /usr/lib64/nagios/plugins/check_mail_sslĀ 

Now test it

/usr/lib64/nagios/plugins/check_mail_ssl -h mail.mydomain.net -p 587 -w 30 -c 15

where:

  • -h is the host to be tested
  • -p port to test (either 587 or 465)
  • -w days for warning before expiration
  • -c days before critical error before expiration (note set the -w value to be greater than the -c value)

you will get a message like this:

SSL OK: Mail server, mail.mydomain.net, SMTP certificate will expire on Feb 1 23:59:59 2024 GMT, 362 days left.

To set up nagios –

add to your existing nagios/command.cfg file

define command {
        command_name                    check_mail_ssl
        command_line                    $USER1$/check_mail_ssl -h $HOSTADDRESS$ -p $ARG1$ -w $ARG2$ -c $ARG3$ $ARG4$
        register                        1
}

create a file inside of nagios/services named MAIL-SMTP-SSL.cfg

define service {
	#NAGIOSQL_CONFIG_NAME          	MAIL-SMTP-SSL
	host_name                      	mail.mydomain.net
	service_description            	MAIL-SMTP-SSL
	use                            	local-service
	check_command                  	check_mail_ssl!587!30!15
	register                       	1
}

 

HT: https://itnixpro.com/check-imap-smtp-pop3-ssl-tls-certificate-expiry-with-nagios/

Tested against Nagios running Fedora 37

Comments are closed.