Yes, the "using TLS" and "using SSL" do the same (enable encryption) ... we have switched to "TLS" keyword to prevent confusion as the original SSLv[23] protocols are no longer safe and are disabled by default. The "SSL" keyword is still supported for backward compatibility.
Please can you get a network trace of the communication between monit and your mailserver on port 587 (for example using wireshark) and send it to [email protected]? > On 30 Jul 2018, at 23:08, David Newman <[email protected]> wrote: > > On 7/30/18 12:05 PM, [email protected] wrote: >> Thanks for data. >> >> I tried to reproduce the problem with the following configuration and it >> seems to work correctly: >> >> set mailserver mail8.networktest.com port 587 >> username "test" password "123456" >> using tls >> >> I get "Mail: Mailserver response error -- 535 5.7.8 Error: authentication >> failed" but that is expected (i didn't use real credentials). The >> credentials are send by monit past the STARTTLS command and the server >> didn't indicate the STARTLS error. >> >> Please can you verify you monit is compiled with SSL?: >> >> monit -V > > Yes, it appears to be: > > This is Monit version 5.25.2 > Built with ssl, with ipv6, with compression, with pam and with large files > Copyright (C) 2001-2018 Tildeslash Ltd. All Rights Reserved. > dh > > This is on FreeBSD 11.2-RELEASE, compiled from ports. > > One delta between our configs, if it matters, is that your has 'set tls' > instead of 'set ssl' in the 'set mailserver' definition. I don't think > that's significant, as I changed mine, restarted monit, and saw the same > STARTTLS error as before. I also tried commenting out the 'pemfile:' > line in the 'set ssl' definition but that also had no effect. > > An openssl STARTTLS handshake works OK from this server's command line. > Output below. > > Anything else I need to check in the monit config? > > Thanks > > dn > > > $ openssl s_client -connect mail8.networktest.com:587 -starttls smtp > CONNECTED(00000003) > depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 > verify return:1 > depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 > verify return:1 > depth=0 CN = mail8.networktest.com > verify return:1 > --- > Certificate chain > 0 s:/CN=mail8.networktest.com > i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 > 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 > i:/O=Digital Signature Trust Co./CN=DST Root CA X3 > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIIIjTCCB3WgAwIBAgISBN1aemqlVTdUmOJrX9BC59GGMA0GCSqGSIb3DQEBCwUA > MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD > ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA2MDExMDAyMDRaFw0x > ODA4MzAxMDAyMDRaMCAxHjAcBgNVBAMTFW1haWw4Lm5ldHdvcmt0ZXN0LmNvbTCC > AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOI+gmM93ItcpEKZ34Ent14i > Qd5rZ8bQFVJipwdxxkIgKWpUz6AJy4kaO0IIEDSquk7GTTpTFVsEcO+OVFDoE6Sg > qo9S/oe7z1iOW6XVfoQb0PNp5yFdmTVP/fpYydxcZL34QDlP1+O1TRY0hTK6aOaq > QkKnHrfFLiaKcLePKFcEPZgZW3aDPT3u3E38A9YFsOKaCQStZJxziV1QiaD4WlcJ > qZWLfYSMR2DB7xMsSF+NXwItk9+fEl3yYDt3EwCXBWxE8lITUp5dq/bj03WhWpGe > XD/e2WX0OUHClz1OH/NghnbMuBnL3jqEG/NXLKREqdDNdCfTA5krZZmNbuYx0qmR > aosBLiteQf8XurK8wvg6jGxdrqZ0DudYPOADxRilHi27qse74OIoGJO6xxvrpzQt > AZBvOIS6jM8MPrX1RdSE83LUqIzzAormy91Pb4gmSXvVywyoR5yqBiX3bmskzJdX > BABsQ/vC8JYyszLpikZz4cYMfjpI15JwofaKIXeScwDR3rjXLcrmxk92J6dI3E1Y > 0zaHaXb45ltUvT6mVqudWYNop/JAyxAcrH5pZ4TdUfeJjQDn5+H5p9EfXx8Q3eXE > JdjRKmNIFjQvD9K3dNPi1QEkS8skv2t9LT5LydztovNvo9IpLsFBC92nFIPBpiHo > Q/FOt/GOvEn05X4NROLLAgMBAAGjggSVMIIEkTAOBgNVHQ8BAf8EBAMCBaAwHQYD > VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0O > BBYEFLf08/9lmzsV+4SHI1UoJXPMnstCMB8GA1UdIwQYMBaAFKhKamMEfd265tE5 > t6ZFZe/zqOyhMG8GCCsGAQUFBwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29j > c3AuaW50LXgzLmxldHNlbmNyeXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2Nl > cnQuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8wggGVBgNVHREEggGMMIIBiIIVbGlz > dHMubmV0d29ya3Rlc3QuY29tghNsaXN0cy5wb3RyemViaWUub3JnghFsaXN0cy5z > dWN0ZXN0LmNvbYIVbWFpbC5hdWRpb2FsY2hlbXkuY29tghBtYWlsLmN2Y2Jpa2Uu > b3JnghptYWlsLmRhdmlkcm9iZXJ0bmV3bWFuLmNvbYISbWFpbC5kcm5zdHVkaW8u > Y29tghRtYWlsLm5ldHdvcmt0ZXN0LmNvbYISbWFpbC5wb3RyemViaWUub3JnghRt > YWlsLnJob2RhbmV3bWFuLmNvbYIQbWFpbC5zdWN0ZXN0LmNvbYIbbWFpbDguZGF2 > aWRyb2JlcnRuZXdtYW4uY29tghNtYWlsOC5kcm5zdHVkaW8uY29tghVtYWlsOC5u > ZXR3b3JrdGVzdC5jb22CDXBvdHJ6ZWJpZS5vcmeCD3Job2RhbmV3bWFuLmNvbYIL > c3VjdGVzdC5jb22CEXd3dy5wb3RyemViaWUub3JnghN3d3cucmhvZGFuZXdtYW4u > Y29tMIH+BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAm > BggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUF > BwICMIGeDIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBv > biBieSBSZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRo > IHRoZSBDZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5j > cnlwdC5vcmcvcmVwb3NpdG9yeS8wggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwBV > gdTCFpA2AUrqC5tXPFPwwOQ4eHAlCBcvo6odBxPTDAAAAWO7AvuFAAAEAwBIMEYC > IQCbBw/2BWR+xvgQ3WUN949WNukh7cmkDTeRqJSgg3IQJgIhAO1iZUE5p76zLUKt > Z4zrzlxXw8PB+Zm3CXSnT8QQ4FgYAHYAKTxRllTIOWW6qlD8WAfUt2+/WHopctyk > wwz05UVH9HgAAAFjuwL7bwAABAMARzBFAiBRXgaSL3v6oIDvoj+aYaNvo9O3DRG5 > S8mO6DRVvmIAOAIhANQUcfkm5nZL/ljt5cf5xEI1OKwIcg8o78+eEDbfCDiBMA0G > CSqGSIb3DQEBCwUAA4IBAQBWjkVpac9UgOfvrvJ1QjT50VbMY1P9diJ1pdIoDPcH > 4EuEq8T8oswQ8ONxqWgCLr6tUjFWf6k3LUIZ/iAPAIf7TzlXnljrdBbOvT/9yil5 > TmFUEHZUC/ES6P8PPlFHbdh4Rs/eftI6DpL7WjKnxlkofHGvHr6mwhQ48CiSL6+T > PEU0kAeZZqQteSe6s9eIlQKs7aYATzwAyjIGKQ0GrUPHSyRljShR+3vY6hHWRqwW > t2cm28RtQKWRx3aNy3SjYxDlWPLGsU4udinpVx69IB1dbQTwSnI1X63TEi61/2t5 > NrAedbouYI8e+vH5q0/dXM8k3p9WTAEjZZUOxzxvvbpd > -----END CERTIFICATE----- > subject=/CN=mail8.networktest.com > issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 > --- > No client certificate CA names sent > Peer signing digest: SHA512 > Server Temp Key: ECDH, P-256, 256 bits > --- > SSL handshake has read 4504 bytes and written 468 bytes > --- > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 > Server public key is 4096 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.2 > Cipher : ECDHE-RSA-AES256-GCM-SHA384 > Session-ID: > 0ACB792CC4FBE288FA99928EFED5091F9814FB55965D09D4805DBA3555405DE9 > Session-ID-ctx: > Master-Key: > 87E9DD57D5377D03140DE2867C90B784490DEEC53964486943C60A6CC58DCFB5DB9B642446B331925145D6CBA771E308 > Key-Arg : None > PSK identity: None > PSK identity hint: None > SRP username: None > TLS session ticket lifetime hint: 7200 (seconds) > TLS session ticket: > 0000 - 93 c6 c5 5c 96 10 6d 21-29 4d c2 b5 ff cc bd 6e > ...\..m!)M.....n > 0010 - f8 47 c6 6a 57 dc 70 82-2b 2f 26 67 08 13 4e dd > .G.jW.p.+/&g..N. > 0020 - cf 94 0c d8 63 f9 3a 18-54 19 0c 19 bd 90 a8 7e > ....c.:.T......~ > 0030 - 94 01 1a 4b 1b e1 a8 da-6f 0d 9e c4 05 68 ac 0a > ...K....o....h.. > 0040 - d7 7a c1 60 50 60 e4 51-ff 73 d4 33 0b 8b dc 97 > .z.`P`.Q.s.3.... > 0050 - aa 8f 0f 52 34 54 3b 1d-8d 92 7c 32 34 58 04 aa > ...R4T;...|24X.. > 0060 - a3 92 eb 7b 9c a6 6b 98-ce 37 f2 67 e9 39 4a 3d > ...{..k..7.g.9J= > 0070 - 28 4d 83 8b 7c 8f 48 af-0b 0a a1 67 0a cd 39 19 > (M..|.H....g..9. > 0080 - 4c e2 f4 18 87 72 7d c3-5e 79 7a 2e 11 e0 2e eb > L....r}.^yz..... > 0090 - a7 bb 18 ba fe 90 18 5f-2b 2e 66 e3 84 b6 d1 81 > ......._+.f..... > > Start Time: 1532984690 > Timeout : 300 (sec) > Verify return code: 0 (ok) > --- > 250 SMTPUTF8 > > > > >> >> >> >> >>> On 30 Jul 2018, at 20:53, David Newman <[email protected]> wrote: >>> >>> On 7/30/18 10:50 AM, [email protected] wrote: >>> >>>> The configuration looks fine, please can you send Monit log? >>> >>> It's just a lot of entries like this. I deliberately stopped the Mailman >>> service to try to force an email alert from Monit. >>> >>> Thanks in advance for any troubleshooting clues. >>> >>> dn >>> >>> [PDT Jul 29 16:03:50] info : Starting Monit 5.25.2 daemon with http >>> interface at [localhost]:2812 >>> [PDT Jul 29 16:03:50] info : 'mail8.networktest.com' Monit 5.25.2 >>> started >>> [PDT Jul 29 16:03:55] error : 'mailman' service restarted 1 times >>> within 1 cycles(s) - alert >>> [PDT Jul 29 16:03:55] error : Mail: Mailserver response error -- 530 >>> 5.7.0 Must issue a STARTTLS command first >>> [PDT Jul 29 16:03:55] error : Aborting event >>> [PDT Jul 29 16:03:55] info : 'mailman' process is running after >>> previous restart timeout (manually recovered?) >>> [PDT Jul 29 16:03:55] error : Mail: Mailserver response error -- 530 >>> 5.7.0 Must issue a STARTTLS command first >>> [PDT Jul 29 16:03:55] error : Aborting event >>> [PDT Jul 29 16:04:30] error : 'mailman' process is not running >>> [PDT Jul 29 16:04:30] error : Mail: Mailserver response error -- 530 >>> 5.7.0 Must issue a STARTTLS command first >>> [PDT Jul 29 16:04:30] error : Aborting event >>> [PDT Jul 29 16:04:30] info : 'mailman' trying to restart >>> [PDT Jul 29 16:04:30] info : 'mailman' start: >>> '/usr/local/etc/rc.d/mailman start' >>> [PDT Jul 29 16:05:21] error : 'mailman' service restarted 1 times >>> within 1 cycles(s) - alert >>> [PDT Jul 29 16:05:21] error : Mail: Mailserver response error -- 530 >>> 5.7.0 Must issue a STARTTLS command first >>> [PDT Jul 29 16:05:21] error : Aborting event >>> [PDT Jul 29 16:05:21] info : 'mailman' process is running with pid 18239 >>> [PDT Jul 29 16:05:21] error : Mail: Mailserver response error -- 530 >>> 5.7.0 Must issue a STARTTLS command first >>> [PDT Jul 29 16:05:21] error : Aborting event >>> [PDT Jul 29 16:05:21] info : 'mailman' process is running after >>> previous restart timeout (manually recovered?) >>> [PDT Jul 29 16:05:21] error : Mail: Mailserver response error -- 530 >>> 5.7.0 Must issue a STARTTLS command first >>> [PDT Jul 29 16:05:21] error : Aborting event >>> >>> >>> >>> >>> >>>> >>>> Best regards, >>>> Martin >>>> >>>> >>>>> On 30 Jul 2018, at 01:16, David Newman <[email protected]> wrote: >>>>> >>>>> FreeBSD 11.2, monit-5.25.2 compiled from ports with SSL/TLS support >>>>> >>>>> What's the correct syntax for monit to use STARTTLS when sending email >>>>> alerts? >>>>> >>>>> Currently monit logs this error: >>>>> >>>>> [PDT Jul 29 16:05:21] error : Mail: Mailserver response error -- 530 >>>>> 5.7.0 Must issue a STARTTLS command first >>>>> >>>>> Using this configuration in /usr/local/etc/monitrc: >>>>> >>>>> set ssl options { >>>>> version: auto >>>>> verify: enable >>>>> pemfile: /etc/ssl/certs/mail.example.com/everything.pem >>>>> } >>>>> >>>>> set mailserver mail.example.com >>>>> port 587 >>>>> username "[email protected]" >>>>> password="wouldnt-you-like-to-know" >>>>> using ssl >>>>> >>>>> check process mailman with pidfile >>>>> /usr/local/mailman/data/master-qrunner.pid >>>>> group mailman >>>>> start program = "/usr/local/etc/rc.d/mailman start" >>>>> stop program = "/usr/local/etc/rc.d/mailman stop" >>>>> if 1 restarts within 1 cycles then alert >>>>> >>>>> Thanks! >>>>> >>>>> dn >>>>> > > -- > To unsubscribe: > https://lists.nongnu.org/mailman/listinfo/monit-general -- To unsubscribe: https://lists.nongnu.org/mailman/listinfo/monit-general
