Nagios & Sendmail SMTP Relay

When a notification has made it successfully through all of the filters it executes the commands defined in host_notification_commands or the service_notification_commands directive for the contact that is being notified. These commands are defined /usr/local/nagios/etc/commands.cfg.  The default notify-service-by-email command uses the /usr/bin/mail script to send emails. This script allows users to send emails quickly by using the sendmail server that comes installed with Fedora OS.

In order for nagios to be able send valid email (email that won't be blocked by spam filters and has a valid return address) on behalf of a domain who's mail server is not the local machine, the local mail server must relay all emails to that domain's mail server. By default most mail servers will only receive emails sent to users of the domains it is responsible for. Only after authenticating can a user send mail from the server to outside domain. If the ability to send mail to any domain was available to unauthenticated users, anyone could send limitless spam from the server. Thus in order for sendmail to be able to send email to domains other than the domains the mail server it will be relaying to is responsible for, it must authenticate with the relay server.

Before configuring sendmail, it is important check to make sure the relaying server is configured properly to allow an authenticated user to send mail. This can be confirmed by:
  • telnet to the relay mail server
    • telnet [relay server's hostname/ip] [port]
    • 220 Smokey.ip2business.com Microsoft ESMTP MAIL Service ready at Wed, 26 May 2010 17:41:52 -0400
  • issue ehlo command to see the mail server's list of extensions. The mail server must support the AUTH LOGIN extension to allow users to authenticate.
    • ehlo client-domain.com
    • 250-mailserver-domain.com Hello [ip address]
      250-SIZE
      250-PIPELINING
      250-DSN
      250-ENHANCEDSTATUSCODES
      250-X-ANONYMOUSTLS
      250-AUTH NTLM LOGIN
      250-X-EXPS GSSAPI NTLM
      250-8BITMIME
      250-BINARYMIME
      250-CHUNKING
      250-XEXCH50
      250 XRDST
  • Make sure the mail server is not an open relay (allows unauthenticated users to send mail to domains not handled by the server) by attempting to send an email to an outside domain. If an error message is not generated after the "rcpt to" command, this security issue must be fixed.
    • mail from: doesnt-matter@domain.com
    • 250 2.1.0 Sender OK
    • rcpt to: doesnt-matter@external-domain.com
    • 550 5.7.1 Unable to relay
    • rset
    • 250 2.0.0 Resetting
  • Now authenticate with the mail server and attempt to send the email again
    • Issue the auth login command to initiate the authentication process. The server will respond with "Username:" in base64 encoding
    • auth login
    • 334 VXNlcm5hbWU6
    • enter your username in base64 encoding. This site will convert for you: http://www.opinionatedgeek.com/dotnet/tools/base64encode/
    • [username in base64]
    • 334 UGFzc3dvcmQ6
    • The mail server then responds by asking for your password in base64
    • [password in base64]
    • 235 2.7.0 Authentication successful
    • mail from: doesnt-matter@mail-server-domain.com
    • 250 2.1.0 Sender OK
    • rcpt to: doesnt-matter@external-domain.com
    • 250 2.1.5 Recipient OK
    • data
    • 354 Start mail input; end with .
    • Subject: "[Text for the subject line]"
    • [Text for the body of the email]
    • .
    • 250 2.6.0 <3325ca07-af24-4837-96b2-c0fe558897d7@domain.com> Queued mail for delivery
Once you have verified the relaying server has been configured properly, sendmail can be configured to send all of its mail to the relay server by using the SMART_HOST directive and SMTP_AUTH with PLAIN mech for authentication. The following directions come from http://www.screaming-penguin.com/node/4214.  Many Linux distros use Sendmail as the default MTA (Fedora among them).
1. Note that the default locations on Fedora (and many distros) for Sendmail installed files is "/etc/mail". sendmail.cf, sendmail.mc, access map, so on, are located at /etc/mail.
2. Check that your Sendmail binary has STARTTLS and SASL support: sendmail -d0.1 -bv Make sure STARTTLS and SASL are present in the output, this is the default on Fedora and other distors now so they are likely alread there - if you do not have these you need to backup and recompile sendmail to include them. Yes the client usage requires them.
3. Edit your sendmail.mc to include the "smart host" option. (Use brackets here if you want sendmail to skip an MX record lookup and use the A record - `[mail.bellsouth.net]'. Don't use brackets if you need the MX - `mail.bellsouth.net'. If you are unsure try it with brackets and if it doesn't work take them out.) define(`SMART_HOST',`[mail.bellsouth.net]')
4. Edit your sendmail.mc to setup a map for "authinfo". FEATURE(`authinfo',`hash /etc/mail/authinfo.db')
5. Check the rest of your sendmail.mc to make sure that things are sane and items relevant to STARTTLS and SASL are uncommented and valid. For example check to ensure you have the certificate related entries (and that these entries are valid - you may have to create the sendmail.pem cert - from the cert dir "make sendmail.pem" assuming you have the OpenSSL libraries available): define(`confCACERT_PATH',`/usr/share/ssl/certs') define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt') define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem') define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.pem') Make sure you also have the auth mechanisms defined/uncommented (I am not sure this should be required just for the client - but I had to enable to get things working): define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl define(`confAUTH_OPTIONS', `A p y')dnl TRUST_AUTH_MECH(`LOGIN PLAIN')dnl Also you should turn up the logging temporarily in order to verify things: define(`confLOG_LEVEL', `20')dnl
6. Create the "authinfo" file in (the file that tells the SMTP_AUTH client what credentials to login with for what domain). AuthInfo:mail.bellsouth.net "U:root" "I:user@bellsouth.net" "P:password" "M:LOGIN PLAIN"
7. With the newly edited "sendmail.mc" file use m4 (the sendmail macro burner) to create "sendmail.cf". m4 sendmail.mc > sendmail.cf
8. With the newly created "authinfo" file make the authinfo.db which sendmail will use. makemap hash /etc/mail/authinfo < /etc/mail/authinfo
9. Restart sendmail (default /etc/init.d/sendmail restart) and check the logs (default /etc/maillog) to make sure there are no issues/errors/warnings. Errors such as unable to find STARTTLS certificate need to be addressed before you proceed, really there should be no errors or warnings, these have meanings. ;)
10. Run a map test to ensure that the "authinfo" db is being correctly picked up by your new sendmail configuration. echo '/map authinfo AuthInfo:mail.bellsouth.net' | /usr/sbin/sendmail -bt If this is found and there is an entry then proceed, otherwise something is amiss with authinfo and that needs to be addressed.
11. OPTIONAL - Make an alias for the "root" user to go to an actual external email account (if not already done). For example in /etc/aliases change the line under "Person that should get root's email" to go to "root: user@gmail.com" where that is a valid external email account. Make sure to run "newaliases" to invoke.
12. Send an email to root and watch the logs. mail root Test this is a test .
The logs should show all the SMTP level info (since it is using level 20) and should show a line that reads similar to: Feb 17 21:08:45 totsp sendmail[27587]: k1I28jTQ027587: MAIL From: SIZE=29 AUTH=root@yourhostname.org. This shows that the AUTH was made. Then a little further down in the log you should see that the message was accepted. (If it was not accepted you will see that it was rejected and why (the response code). UPDATE: Also see the new information on the Sendmail.org site about using Sendmail as an AUTH client - http://www.sendmail.org/~ca/email/auth.html.


 Nagios
  • the web gui can be reached by going to http://localhost/nagios/
  • the support documents can be found at http://support.nagios.com/knowledgebase/officialdocs
  • configuration files are in /usr/local/nagios
  • check nagios configuration files for errors by issuing: /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
  • Main Nagios log file: /usr/local/nagios/var/nagios.log
  • Debug Log file: /usr/local/nagios/var/nagios.debug (debug level controlled in /usr/local/nagios/nagios.cfg))
  • By default nagios will automatically ping hosts and send notifications if the host goes down. This can be disabled with the "checks_enabled 0" directive
  • If the host has no service a notification is sent only after the hard down state is reached. To reach the hard down state first you must wait max_retry_attempts*retry_interval
  • By setting notification_interval 0 in the general-service template Nagios will only send one (1) email per critical or downstate. If this is set to something else, then you will generate multipletickets, which is not good.
  • Services don't send notifications until they have reached a hard state as well.
  • Nagios uses the the /bin/mail script to send email which uses sendmail
  • Nagios dispatches all notifications to the sendmail client, which is responsible for sending the emails.The sendmail client  queues mail in the /var/spool/clientqueue folder.
  • The check_ping!200.0,20%!600.0,60% command passes arguments delimited by "!". The first argument gets past to the -w flag as the warning threshold (200ms round trip or 20% packet loss) and the second argument gets past to the -c flag as the critical threshold (600 or 60% packet loss).

    0 comments:

    Post a Comment