Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-25092

Media type Generic SMTP curl GSSAPI issue

XMLWordPrintable

    • Icon: Problem report Problem report
    • Resolution: Unresolved
    • Icon: Trivial Trivial
    • 6.0.37rc1, 7.0.7rc1, 7.2.0rc1 (master)
    • 7.0.3
    • Server (S)
    • Ubuntu 22.04.04, Linux server10 5.15.0-118-generic #128-Ubuntu SMP Fri Jul 5 09:28:59 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux, 7 GB RAM, 2 cores, Intel haswell series, cloud instance machine in OVH(from their public cloud)
    • Prev.Sprint, S24-W38/39, S24-W40/41
    • 2

      Steps to reproduce:

      1. Pretty much a standard configuration, an Email media type clone in which I changed like in the attached zabbix_1 picture for use with OVH email service based on Exchange 2019(its their email SaaS). By default curl/libcurl you use in Zabbix 7.0.3 sends as default auth method GSSAPI (for OVH I checked this) and it cannot auth to OVH email SaaS. OVH works only with AUTH LOGIN in starttls mode it seems.
      2. When an alarm occurs it tries to send the email but it errors and I enabled Debug 5 to see why

      Result:
      See screenshot zabbix_1.png with configuration:

      See log file...

      OVH SaaS email its working only/better with AUTH LOGIN (see ticket ZBX-18532)

      See the problem below: Zabbix is sending at 862814:20240821:062105.234 an auth GSSAPI because probably GSSAPI is default in curl. But OVH does not work well with this, only with PLAIN, see swaks command much below.

      250-ex5.mail.ovh.net Hello [54.37.76.158]
862814:20240821:062105.234 < 250-SIZE 104857600
862814:20240821:062105.234 < 250-PIPELINING
862814:20240821:062105.234 < 250-DSN
862814:20240821:062105.234 < 250-ENHANCEDSTATUSCODES
862814:20240821:062105.234 < 250-AUTH GSSAPI NTLM LOGIN
862814:20240821:062105.234 < 250-8BITMIME
862814:20240821:062105.234 < 250-BINARYMIME
862814:20240821:062105.234 < 250 CHUNKING
862814:20240821:062105.234 * TLSv1.2 (OUT), TLS header, Supplemental data (23):
862814:20240821:062105.234 > AUTH GSSAPI
862814:20240821:062105.239 * TLSv1.2 (IN), TLS header, Supplemental data (23):
862814:20240821:062105.239 < 334 GSSAPI supported

      Another example: again we see at 1082130:20240821:080825.872 that we offer default GSSAPI instead of AUTH LOGIN.

      1082130:20240821:080825.767 < 220 2.0.0 SMTP server ready
1082130:20240821:080825.769 * TLSv1.0 (OUT), TLS header, Certificate Status (22):
1082130:20240821:080825.769 * TLSv1.3 (OUT), TLS handshake, Client hello (1):
1082130:20240821:080825.811 * TLSv1.2 (IN), TLS header, Certificate Status (22):
1082130:20240821:080825.811 * TLSv1.3 (IN), TLS handshake, Server hello (2):
1082130:20240821:080825.811 * TLSv1.2 (IN), TLS handshake, Certificate (11):
1082130:20240821:080825.814 * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
1082130:20240821:080825.814 * TLSv1.2 (IN), TLS handshake, Server finished (14):
1082130:20240821:080825.814 * TLSv1.2 (OUT), TLS header, Certificate Status (22):
1082130:20240821:080825.814 * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
1082130:20240821:080825.814 * TLSv1.2 (OUT), TLS header, Finished (20):
1082130:20240821:080825.814 * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
1082130:20240821:080825.815 * TLSv1.2 (OUT), TLS header, Certificate Status (22):
1082130:20240821:080825.815 * TLSv1.2 (OUT), TLS handshake, Finished (20):
1082130:20240821:080825.843 * TLSv1.2 (IN), TLS header, Finished (20):
1082130:20240821:080825.843 * TLSv1.2 (IN), TLS header, Certificate Status (22):
1082130:20240821:080825.843 * TLSv1.2 (IN), TLS handshake, Finished (20):
1082130:20240821:080825.843 * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
1082130:20240821:080825.843 * Server certificate:
1082130:20240821:080825.843 *  subject: CN=ex5.mail.ovh.net
1082130:20240821:080825.843 *  start date: Oct 26 00:00:00 2023 GMT
1082130:20240821:080825.843 *  expire date: Oct 25 23:59:59 2024 GMT
1082130:20240821:080825.843 *  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
1082130:20240821:080825.843 *  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
1082130:20240821:080825.843 * TLSv1.2 (OUT), TLS header, Supplemental data (23):
1082130:20240821:080825.843 > EHLO t1-extra-headers
1082130:20240821:080825.871 * TLSv1.2 (IN), TLS header, Supplemental data (23):
1082130:20240821:080825.872 < 250-ex5.mail.ovh.net Hello [54.37.76.158]
1082130:20240821:080825.872 < 250-SIZE 104857600
1082130:20240821:080825.872 < 250-PIPELINING
1082130:20240821:080825.872 < 250-DSN
1082130:20240821:080825.872 < 250-ENHANCEDSTATUSCODES
1082130:20240821:080825.872 < 250-AUTH GSSAPI NTLM LOGIN
1082130:20240821:080825.872 < 250-8BITMIME
1082130:20240821:080825.872 < 250-BINARYMIME
1082130:20240821:080825.872 < 250 CHUNKING
1082130:20240821:080825.872 * TLSv1.2 (OUT), TLS header, Supplemental data (23):
1082130:20240821:080825.872 > AUTH GSSAPI
1082130:20240821:080825.900 * TLSv1.2 (IN), TLS header, Supplemental data (23):
1082130:20240821:080825.900 < 334 GSSAPI supported

      in this second example we see GSSAPI supported by OVH but it does not work.

      Expected:
      The email to be sent using AUTH LOGIN like this:

      root@t1-extra-headers:~/# swaks --to [email protected] --from [email protected] --server ex5.mail.ovh.net --port 587 --tls --auth LOGIN --auth-user [email protected] --auth-password password
=== Trying ex5.mail.ovh.net:587...
=== Connected to ex5.mail.ovh.net.
<-  220 ex5.mail.ovh.net Microsoft ESMTP MAIL Service ready at Thu, 22 Aug 2024 09:03:25 +0200
 -> EHLO t1-extra-headers
<-  250-ex5.mail.ovh.net Hello [54.37.76.158]
<-  250-SIZE 104857600
<-  250-PIPELINING
<-  250-DSN
<-  250-ENHANCEDSTATUSCODES
<-  250-STARTTLS
<-  250-AUTH GSSAPI NTLM
<-  250-8BITMIME
<-  250-BINARYMIME
<-  250 CHUNKING
 -> STARTTLS
<-  220 2.0.0 SMTP server ready
=== TLS started with cipher TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
=== TLS no local certificate set
=== TLS peer DN="/CN=ex5.mail.ovh.net"
 ~> EHLO t1-extra-headers
<~  250-ex5.mail.ovh.net Hello [54.37.76.158]
<~  250-SIZE 104857600
<~  250-PIPELINING
<~  250-DSN
<~  250-ENHANCEDSTATUSCODES
<~  250-AUTH GSSAPI NTLM LOGIN
<~  250-8BITMIME
<~  250-BINARYMIME
<~  250 CHUNKING
 ~> AUTH LOGIN
<~  334 VXNlcm5hbWU6
 ~> bWF4d2VsbEBmaWx0ZXJseS5ldQ==
<~  334 UGFzc3dvcmQ6
 ~> Wm5EVXF5endTRXJlR2R3RTdqSG42QWQ0OWppQkhMTWVkWkp0V1A0YQ==
<~  235 2.7.0 Authentication successful
 ~> MAIL FROM:<[email protected]>
<~  250 2.1.0 Sender OK
 ~> RCPT TO:<[email protected]>
<~  250 2.1.5 Recipient OK
 ~> DATA
<~  354 Start mail input; end with <CRLF>.<CRLF>
 ~> Date: Thu, 22 Aug 2024 07:03:26 +0000
 ~> To: [email protected]
 ~> From: [email protected]
 ~> Subject: test Thu, 22 Aug 2024 07:03:26 +0000
 ~> Message-Id: <20240822070326.1227704@t1-extra-headers>
 ~> X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/
 ~>
 ~> This is a test mailing
 ~>
 ~>
 ~> .
<~  250 2.6.0 <20240822070326.1227704@t1-extra-headers> [InternalId=2959232468058, Hostname=DAG9EX3.indiv5.local] 1415 bytes in 0.235, 5.857 KB/sec Queued mail for delivery
 ~> QUIT
<~  221 2.0.0 Service closing transmission channel
=== Connection closed with remote host.

      I also tried to compile curl 8.9.1 without gssapi so to force it using PLAIN method but it did not work, I suppose you are using libcurl directly not the curl binary itself?

        1. log.zip
          1.33 MB
        2. zabbix_1.png
          zabbix_1.png
          65 kB

            asestakovs Aleksejs Sestakovs
            dragosrp Dragos Pacher
            Team B
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:

                Estimated:
                Original Estimate - 16h
                16h
                Remaining:
                Remaining Estimate - 16h
                16h
                Logged:
                Time Spent - Not Specified
                Not Specified