search

setec / check-email-loop

Nagios plugin to check email infrastructure via sending & retrieving emails
GNU General Public License v2.0
15 stars 11 forks source link

Certificate verify failed #4

Open Marco-Total opened 3 years ago

Marco-Total commented 3 years ago

Hello,

when I try to reach the mail server from the LAN, I get a certificate error message:

I can understand the error, is there any way to trust "insecure certificates" anyway? 

./check_email_loop -poph 172.xx.xx.xx -popuser=monitor -passwd=xxx -popport=993 -usessl -useimap -smtphost=172.xx.xx.xx -smtpuser=monitor -smtppasswd=1qay-2wsx -smtpport=587 -from=monitor@xxx.de -to=xxx.xxx@xxx.de -usesmtptls -debug
Opened /usr/lib64/nagios/plugins/check_email_loop_e470b3b374f2dc8b185445a410ed9a1b.stat for writing...
----------------------------------------------------------------------
-------------------- Checking IMAP4 Mails ----------------------------
----------------------------------------------------------------------
IMAP RECEIVE CRITICAL - Could not connect to 172.xx.xxxx port 993: SSL connect attempt failed error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed at ./check_email_loop line 694.

Thx for yout help!

Rudi

bentolor commented 3 years ago

Hello @RUDI-TERROR ,

inspecting the code, yet no "ignore certificate validation" option is implemented. It seems that the tools uses different ways for TLS depending on the Service (POP, IMAP, SMTP) and each would require this change. I think generally this should be no big deal.

But given, that your email users need to connect & talk to you same server in a same, secure way as the monitoring tools: Wouldn't it be better to at least use self-signed certificates? You can then add them to the respective trust stores for your users as well as for the monitoring tool.

Marco-Total commented 3 years ago

when I try to add the account in outlook, i get a message:

This certification authority root certificate is not trusted because it is not in the repository of trusted root certification authorities.

Can I install the certificate on my monitoring-server in a "ca-trust" store?

bentolor commented 3 years ago

Beware, that there are two different things:

  1. Certificate Authority (CA): An instance which can sign a certificate as trustworthy and
  2. a Certificate: Something you mail server can use for encrypted communication.

When Outlook, Browsers & Co. connect to a SSL Encrypted Site, they download the certificate (2) and look our for a signature on that certificate from a CA (1) they trust: So they check if they have a CA registered as trusted and cryptographically check that the signature us valid signed by a trusted CA.

So if you want to create and use own certificates the same way as you'd i.e. do with letsencrypt or Digicert certificates, you need to

  1. Create a CA private and public key/certificate
  2. Install that public CA key/certificate as a "trusted CA" in all clients that should connect to the service
  3. Create application certificate and sign it by you created CA certificate
  4. Install & use that signed certificate on you mail server.

The so called "self-signed certificates" are just a certificates which are not signed by any CA.

The way to add you own CA to you trust store depends on the OS & software) i.e. Browsers tend to have their own CA list.

I assume you are german, so here a few links which might help you in creating a CA, installing the CA in you clients (Windows/Linux) and signing a certificate for use in you mail server.

Note: This only makes sense for pure internal sever. If you server is publicy accessible I recommend using Letsencrypt. This also only works if your server is reachable by a DNS name like mymailserver.mycompany. You can's use signed certificates by IP only