QA fixes for smtp auth support

allow for self signed certificate with smtp_tls_verify=no

Signed-off-by: Scott R. Shinn <scott@atomicorp.com>

Author: atomicturtle

contrib/specs/server/preloaded-vars.conf

@@ -95,6 +95,14 @@ USER_ENABLE_EMAIL="n"
 # USER_EMAIL_SMTP defines the SMTP server to send the e-mails.
 #USER_EMAIL_SMTP="test.ossec.net"
 
+# SMTP authentication and TLS (install.sh enables USE_CURL=yes when these are set)
+#USER_SMTP_AUTH="y"
+#USER_SMTP_USER="user@example.com"
+#USER_SMTP_PASS="secret"
+#USER_SMTP_SECURE="n"
+#USER_SMTP_PORT="587"
+#USER_SMTP_TLS_VERIFY="y"
+
 
 # USER_ENABLE_SYSLOG enables or disables remote syslog.
 USER_ENABLE_SYSLOG="n"

etc/preloaded-vars.conf.example

@@ -101,6 +101,14 @@
 # USER_EMAIL_SMTP defines the SMTP server to send the e-mails.
 #USER_EMAIL_SMTP="test.ossec.net"
 
+# SMTP authentication and TLS (require USE_CURL=yes at build; install.sh sets this automatically)
+#USER_SMTP_AUTH="y"
+#USER_SMTP_USER="user@example.com"
+#USER_SMTP_PASS="secret"
+#USER_SMTP_SECURE="n"
+#USER_SMTP_PORT="587"
+#USER_SMTP_TLS_VERIFY="y"
+
 
 # USER_ENABLE_SYSLOG enables or disables remote syslog.
 #USER_ENABLE_SYSLOG="y"

etc/templates/en/messages.txt

@@ -41,6 +41,12 @@ yoursmtp="We found your SMTP server as"
 usesmtp="Do you want to use it?"
 usingsmtp="Using SMTP server: "
 whatsmtp="What's your SMTP server ip/host?"
+smtpauth="Do you want to use SMTP authentication?"
+smtpuser="What's your SMTP username?"
+smtppass="What's your SMTP password?"
+smtpsecure="Do you want to use a secure connection (SSL/TLS on connect, smtps)?"
+smtpport="What's your SMTP port?"
+smtptlsverify="Verify the SMTP server TLS certificate?"
 
 # Part 3.1/agent
 serveraddr="What's the IP Address or hostname of the OSSEC HIDS server?"

install.sh

@@ -102,7 +102,11 @@ Install()
     if [ "X${USER_BINARYINSTALL}" = "X" ]; then
         # Add DATABASE=pgsql or DATABASE=mysql to add support for database
         # alert entry
-        ${MAKEBIN} PREFIX=${INSTALLDIR} TARGET=${INSTYPE} build
+        _make_opts="PREFIX=${INSTALLDIR} TARGET=${INSTYPE}"
+        if [ "X${USE_CURL_BUILD}" = "Xyes" ]; then
+            _make_opts="${_make_opts} USE_CURL=yes"
+        fi
+        ${MAKEBIN} ${_make_opts} build
         if [ $? != 0 ]; then
             cd ../
             catError "0x5-build"
@@ -114,7 +118,11 @@ Install()
         UpdateStopOSSEC
     fi
 
-    ${MAKEBIN} PREFIX=${INSTALLDIR} TARGET=${INSTYPE} install
+    _make_opts="PREFIX=${INSTALLDIR} TARGET=${INSTYPE}"
+    if [ "X${USE_CURL_BUILD}" = "Xyes" ]; then
+        _make_opts="${_make_opts} USE_CURL=yes"
+    fi
+    ${MAKEBIN} ${_make_opts} install
     if [ $? != 0 ]; then
         cd ../
         catError "0x5-build"
@@ -540,6 +548,78 @@ ConfigureServer()
             else
                 SMTP=${USER_EMAIL_SMTP}
             fi
+
+            USE_CURL_BUILD="no"
+
+            # SMTP Auth
+            if [ "X${USER_SMTP_AUTH}" = "X" ]; then
+                echo ""
+                $ECHO "   - ${smtpauth} ($yes/$no) [$no]: "
+                read AUTH_SMTP
+            else
+                AUTH_SMTP=${USER_SMTP_AUTH}
+            fi
+
+            if [ "X${AUTH_SMTP}" = "X${yes}" ]; then
+                USE_CURL_BUILD="yes"
+                if [ "X${USER_SMTP_USER}" = "X" ]; then
+                    $ECHO "   - ${smtpuser}: "
+                    read SMTP_USER
+                else
+                    SMTP_USER=${USER_SMTP_USER}
+                fi
+                if [ "X${USER_SMTP_PASS}" = "X" ]; then
+                    $ECHO "   - ${smtppass}: "
+                    read SMTP_PASS
+                else
+                    SMTP_PASS=${USER_SMTP_PASS}
+                fi
+            fi
+
+            # SMTP Secure (smtps:// on connect; port 587 submission uses auth + STARTTLS with secure_smtp=no)
+            if [ "X${USER_SMTP_SECURE}" = "X" ]; then
+                $ECHO "   - ${smtpsecure} ($yes/$no) [$no]: "
+                read SMTP_SECURE
+            else
+                SMTP_SECURE=${USER_SMTP_SECURE}
+            fi
+
+            if [ "X${SMTP_SECURE}" = "X${yes}" ]; then
+                USE_CURL_BUILD="yes"
+            fi
+
+            # SMTP Port
+            if [ "X${AUTH_SMTP}" = "X${yes}" ]; then
+                _smtp_port_default="587"
+            else
+                _smtp_port_default="25"
+            fi
+            if [ "X${USER_SMTP_PORT}" = "X" ]; then
+                $ECHO "   - ${smtpport} [${_smtp_port_default}]: "
+                read SMTP_PORT
+                if [ "X${SMTP_PORT}" = "X" ]; then
+                    SMTP_PORT=${_smtp_port_default}
+                fi
+            else
+                SMTP_PORT=${USER_SMTP_PORT}
+            fi
+            if [ "X${SMTP_PORT}" != "X" ] && [ "X${SMTP_PORT}" != "X25" ]; then
+                USE_CURL_BUILD="yes"
+            fi
+
+            # TLS certificate verification (libcurl builds only)
+            if [ "X${USER_SMTP_TLS_VERIFY}" = "X" ]; then
+                $ECHO "   - ${smtptlsverify} ($yes/$no) [$yes]: "
+                read SMTP_TLS_VERIFY
+            else
+                SMTP_TLS_VERIFY=${USER_SMTP_TLS_VERIFY}
+            fi
+            if [ "X${SMTP_TLS_VERIFY}" = "X" ]; then
+                SMTP_TLS_VERIFY=${yes}
+            fi
+            if [ "X${SMTP_TLS_VERIFY}" = "X${no}" ]; then
+                USE_CURL_BUILD="yes"
+            fi
         ;;
     esac
 
@@ -551,7 +631,25 @@ ConfigureServer()
         echo "    <email_notification>yes</email_notification>" >> $NEWCONFIG
         echo "    <email_to>$EMAIL</email_to>" >> $NEWCONFIG
         echo "    <smtp_server>$SMTP</smtp_server>" >> $NEWCONFIG
-        echo "    <email_from>ossecm@${HOST}</email_from>" >> $NEWCONFIG
+        if [ "X${AUTH_SMTP}" = "X${yes}" ]; then
+            echo "    <auth_smtp>yes</auth_smtp>" >> $NEWCONFIG
+            echo "    <smtp_user>$SMTP_USER</smtp_user>" >> $NEWCONFIG
+            echo "    <smtp_password>$SMTP_PASS</smtp_password>" >> $NEWCONFIG
+        fi
+        if [ "X${SMTP_SECURE}" = "X${yes}" ]; then
+            echo "    <secure_smtp>yes</secure_smtp>" >> $NEWCONFIG
+        fi
+        if [ "X${SMTP_PORT}" != "X" ]; then
+            echo "    <smtp_port>$SMTP_PORT</smtp_port>" >> $NEWCONFIG
+        fi
+        if [ "X${SMTP_TLS_VERIFY}" = "X${no}" ]; then
+            echo "    <smtp_tls_verify>no</smtp_tls_verify>" >> $NEWCONFIG
+        fi
+        if [ "X${AUTH_SMTP}" = "X${yes}" ] && [ "X${SMTP_USER}" != "X" ]; then
+            echo "    <email_from>${SMTP_USER}</email_from>" >> $NEWCONFIG
+        else
+            echo "    <email_from>ossecm@${HOST}</email_from>" >> $NEWCONFIG
+        fi
     else
         echo "    <email_notification>no</email_notification>" >> $NEWCONFIG
     fi
@@ -977,7 +1075,7 @@ main()
 
 
     # Initial message
-    echo " $NAME $VERSION ${installscript} - http://www.ossec.net"
+    echo " $NAME $VERSION ${installscript} - https://www.ossec.net"
 
     catMsg "0x101-initial"
 

src/config/global-config.c

@@ -126,6 +126,7 @@ int Read_Global(XML_NODE node, void *configp, void *mailp)
     const char *xml_smtp_user = "smtp_user";
     const char *xml_smtp_password = "smtp_password";
     const char *xml_secure_smtp = "secure_smtp";
+    const char *xml_smtp_tls_verify = "smtp_tls_verify";
     const char *xml_smtp_port = "smtp_port";
 
 #ifdef LIBGEOIP_ENABLED
@@ -490,6 +491,18 @@ int Read_Global(XML_NODE node, void *configp, void *mailp)
             } else {
                 return (OS_INVALID);
             }
+        } else if (strcmp(node[i]->element, xml_smtp_tls_verify) == 0) {
+            if (strcmp(node[i]->content, "yes") == 0) {
+                if (Mail) {
+                    Mail->smtp_tls_verify = 1;
+                }
+            } else if (strcmp(node[i]->content, "no") == 0) {
+                if (Mail) {
+                    Mail->smtp_tls_verify = 0;
+                }
+            } else {
+                return (OS_INVALID);
+            }
         } else if (strcmp(node[i]->element, xml_smtp_user) == 0) {
             if (Mail) {
                 if (Mail->smtp_user) {

src/config/mail-config.h

@@ -39,6 +39,7 @@ typedef struct _MailConfig {
     /* SMTP auth (USE_CURL build only) */
     int authsmtp;       /* 0 = off (default), 1 = on */
     int securesmtp;     /* 0 = off (default), 1 = on */
+    int smtp_tls_verify; /* 1 = verify peer/host (default), 0 = accept any cert */
     int smtp_port;      /* 0 = use default per mode (465/587/25); else override */
     char *smtp_user;
     char *smtp_pass;

src/config/reports-config.h

@@ -38,6 +38,7 @@ typedef struct _monitor_config {
     /* SMTP auth (USE_SMTP_CURL only) */
     int authsmtp;
     int securesmtp;
+    int smtp_tls_verify;
     int smtp_port;
     char *smtp_user;
     char *smtp_pass;

src/monitord/main.c

@@ -144,6 +144,7 @@ int main(int argc, char **argv)
 
     mond.authsmtp = 0;
     mond.securesmtp = 0;
+    mond.smtp_tls_verify = 1;
     mond.smtp_port = 0;
     mond.smtp_user = NULL;
     mond.smtp_pass = NULL;
@@ -164,6 +165,7 @@ int main(int argc, char **argv)
         const char *(xml_idsname[]) = {"ossec_config", "global", "email_idsname", NULL};
         const char *(xml_auth_smtp[]) = {"ossec_config", "global", "auth_smtp", NULL};
         const char *(xml_secure_smtp[]) = {"ossec_config", "global", "secure_smtp", NULL};
+        const char *(xml_smtp_tls_verify[]) = {"ossec_config", "global", "smtp_tls_verify", NULL};
         const char *(xml_smtp_port[]) = {"ossec_config", "global", "smtp_port", NULL};
         const char *(xml_smtp_user[]) = {"ossec_config", "global", "smtp_user", NULL};
         const char *(xml_smtp_pass[]) = {"ossec_config", "global", "smtp_password", NULL};
@@ -238,6 +240,21 @@ int main(int argc, char **argv)
                     }
                 }
 
+                if (mond.reports) {
+                    char *tmp_tls_verify = OS_GetOneContentforElement(&xml, xml_smtp_tls_verify);
+                    if (tmp_tls_verify) {
+                        if (strcmp(tmp_tls_verify, "yes") == 0) {
+                            mond.smtp_tls_verify = 1;
+                        } else if (strcmp(tmp_tls_verify, "no") == 0) {
+                            mond.smtp_tls_verify = 0;
+                        } else {
+                            merror("%s: ERROR: Invalid value for 'smtp_tls_verify' (expected yes/no). Disabling email reports.", ARGV0);
+                            mond.reports = NULL;
+                        }
+                        free(tmp_tls_verify);
+                    }
+                }
+
                 if (mond.reports) {
                     char *tmp_port = OS_GetOneContentforElement(&xml, xml_smtp_port);
                     if (tmp_port) {

src/monitord/sendcustomemail.c

@@ -269,9 +269,14 @@ int OS_SendCustomEmail2(char **to, char *subject, char *fname, monitor_config *m
     memset(curl_errbuf, 0, sizeof(curl_errbuf));
     curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, curl_errbuf);
 
-    /* Explicit TLS verification so behavior is not dependent on libcurl defaults */
-    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);
-    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2L);
+    if (mail->smtp_tls_verify) {
+        curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);
+        curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2L);
+    } else {
+        curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
+        curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);
+        verbose("%s: SMTP TLS certificate verification disabled (smtp_tls_verify=no).", ARGV0);
+    }
 
     if (mail->authsmtp && mail->smtp_user && mail->smtp_pass) {
         curl_easy_setopt(curl, CURLOPT_USERNAME, mail->smtp_user);

src/os_maild/config.c

@@ -50,6 +50,7 @@ int MailConf(int test_config, const char *cfgfile, MailConfig *Mail)
     Mail->smtpserver_resolved = NULL;
     Mail->authsmtp = 0;
     Mail->securesmtp = 0;
+    Mail->smtp_tls_verify = 1;
     Mail->smtp_port = 0;
     Mail->smtp_user = NULL;
     Mail->smtp_pass = NULL;
@@ -75,9 +76,9 @@ int MailConf(int test_config, const char *cfgfile, MailConfig *Mail)
     }
 
 #ifndef USE_SMTP_CURL
-    if (Mail->authsmtp || Mail->securesmtp || Mail->smtp_port ||
+    if (Mail->authsmtp || Mail->securesmtp || !Mail->smtp_tls_verify || Mail->smtp_port ||
         Mail->smtp_user || Mail->smtp_pass) {
-        merror("%s: SMTP authentication/TLS options (auth_smtp, secure_smtp, smtp_port, smtp_user, smtp_password) require building with USE_CURL=yes.", ARGV0);
+        merror("%s: SMTP authentication/TLS options (auth_smtp, secure_smtp, smtp_tls_verify, smtp_port, smtp_user, smtp_password) require building with USE_CURL=yes.", ARGV0);
         MailConf_clear_smtp_config(Mail);
         return (OS_INVALID);
     }