[ZBX-11042] send_email_curl() fails to send to O365 Created: 2016 Jul 28 Updated: 2024 Apr 10 Resolved: 2017 Sep 08 |
|
| Status: | Closed |
| Project: | ZABBIX BUGS AND ISSUES |
| Component/s: | Frontend (F), Server (S) |
| Affects Version/s: | 3.0.4 |
| Fix Version/s: | 3.0.11rc1, 3.2.8rc1, 3.4.2rc1, 4.0.0alpha1, 4.0 (plan) |
| Type: | Patch request | Priority: | Critical |
| Reporter: | Maros Bartko | Assignee: | Unassigned |
| Resolution: | Fixed | Votes: | 5 |
| Labels: | encryption, smtp | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||
| Team: |  Team C |
||||||||||||||||||||
| Sprint: | Sprint 15, Sprint 16 | ||||||||||||||||||||
| Story Points: | 0.5 | ||||||||||||||||||||
| Description |
|
send_email_curl() prepends smtps:// for SSL/TLS email alerts. e.g. curl with ssl to smtp://smtp.office365.com:587 # curl smtp://smtp.office365.com:587 -v --ssl * Rebuilt URL to: smtp://smtp.office365.com:587/ * Hostname was NOT found in DNS cache * Trying 2a01:111:f400:1429::2... * Connected to smtp.office365.com (2a01:111:f400:1429::2) port 587 (#0) < 220 CO2PR05CA020.outlook.office365.com Microsoft ESMTP MAIL Service ready at Thu, 28 Jul 2016 09:50:32 +0000 e.g. curl with ssl to smtps://smtp.office365.com:587 (what zabbix does if SSL/TLS is chosen # curl smtps://smtp.office365.com:587 -v --ssl * Rebuilt URL to: smtps://smtp.office365.com:587/ * Hostname was NOT found in DNS cache * Trying 2a01:111:f400:243c::2... * Connected to smtp.office365.com (2a01:111:f400:243c::2) port 587 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol * Closing connection 0 curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol I think it would be best to leave the protocol used to the user. |
| Comments |
| Comment by Aleksandrs Saveljevs [ 2016 Aug 01 ] |
Could you please elaborate a bit on this suggestion? |
| Comment by Aleksandrs Saveljevs [ 2016 Aug 01 ] |
|
A similar issue reported several months ago: |
| Comment by Maros Bartko [ 2016 Aug 01 ] |
Sure, I've seen it. While I agree that SSL23_GET_SERVER_HELLO:unknown protocol is not necessarily caused by a bug in zabbix in all cases, the linked StackOverflow thread is not helpful at all, considering I (or the reporter of
Essentialy, instead of Zabbix choosing whether to prepend smtp or smtps in send_email_curl(), give this option to the user. smtp://smtp.office365.com smtps://smtp.office365.com smtp.office365.com |
| Comment by Aleksandrs Saveljevs [ 2016 Aug 02 ] |
|
When you do curl smtp://smtp.office365.com:587 -v --ssl, it connects to the server (which speaks plain SMTP) and then issues a STARTTLS command. So it is a plain connection by default, which is then augmented to encrypted. So it seems wrong to use "SSL/TLS" as "Connection security" in media settings and "STARTTLS" should be used instead. Could you please try that? |
| Comment by Maros Bartko [ 2016 Aug 02 ] |
|
Tried it. 13414:20160802:090913.939 > EHLO xxx.com 13414:20160802:090913.942 < 250-BL2PR20CA0022.outlook.office365.com Hello [xxx] 13414:20160802:090913.942 < 250-SIZE 157286400 13414:20160802:090913.942 < 250-PIPELINING 13414:20160802:090913.942 < 250-DSN 13414:20160802:090913.942 < 250-ENHANCEDSTATUSCODES 13414:20160802:090913.942 < 250-AUTH LOGIN 13414:20160802:090913.942 < 250-8BITMIME 13414:20160802:090913.942 < 250-BINARYMIME 13414:20160802:090913.942 < 250 CHUNKING 13414:20160802:090913.942 * No known authentication mechanisms supported! 13414:20160802:090913.942 * Closing connection 0 13414:20160802:090913.942 * SSLv3, TLS alert, Client hello (1): 13414:20160802:090913.942 Login denied: 13414:20160802:090913.942 End of send_email():FAIL So the actual reason for this not working is that only AUTH PLAIN is supported by zabbix. Sorry for misleading this for a bit. EDIT: Are there plans for adding AUTH LOGIN as an option for SMTP? |
| Comment by Aleksandrs Saveljevs [ 2016 Aug 02 ] |
There has been no request for additional SMTP authentication options until now. Do you have a possibility to recompile Zabbix server? If you replace "AUTH=PLAIN" with "AUTH=*", does it start working? |
| Comment by Aleksandrs Saveljevs [ 2016 Aug 08 ] |
|
Request for AUTH LOGIN support has just been filed in ZBXNEXT-3367. |
| Comment by Speederer [ 2017 Apr 17 ] |
|
Hi, I tried to recompile Zabbix server with modified email.c and after that it works fine! Could you make this modification as default to the next version? Thanks! |
| Comment by Zygimantas [ 2017 May 02 ] |
|
And what about if I installed from packages and not compiled by my own? |
| Comment by Speederer [ 2017 May 02 ] |
|
I installed Zabbix from package at first and I faced this issue in that configuration. So I had to compile it from source with that little modification. |
| Comment by Michel Meyers [ 2017 May 24 ] |
|
I just added a patch to ZBXNEXT-3367. Hopefully it, or a cleaner version of it, will get integrated into a future version. |
| Comment by Glebs Ivanovskis (Inactive) [ 2017 Aug 28 ] |
|
Server side fixed in development branch svn://svn.zabbix.com/branches/dev/ZBX-11042 revision r71721. |
| Comment by Michel Meyers [ 2017 Aug 28 ] |
|
Backed out my own changes and applied changes mentioned in https://support.zabbix.com/browse/ZBX-11042?focusedCommentId=237382&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-237382 to Zabbix 3.4.0. Can confirm that email works with Office 365 afterwards. |
| Comment by Glebs Ivanovskis (Inactive) [ 2017 Sep 05 ] |
|
Fixed in:
|
| Comment by Glebs Ivanovskis (Inactive) [ 2017 Sep 05 ] |
|
(5) [D] Because of (3) https://www.zabbix.com/documentation/3.0/manual/config/notifications/media/email needs to be updated. martins-v It looks as though this phrase: CURLOPT_LOGIN_OPTIONS is set to “AUTH=PLAIN” should be changed for versions starting with 3.0.11, 3.2.8, 3.4.2. Do you have any suggestions regarding the possible wording? glebs.ivanovskis Really nice catch! I would say
BTW, if this part of documentation is that technical, should we keep old parameter naming and old behaviour description for users who does not upgrade? Screenshot needs to be updated too. martins-v Yes, description of the old behaviour will have to stay. The new behaviour will be added as 'since version...'. martins-v Since we've retained reference to the old naming, I've decided not to change the original screenshots for 3.0, 3.2. Other than that, the new descriptions have been added for 3.0, 3.2, 3.4. RESOLVED glebs.ivanovskis Is it intentional that only 3.4 docs received new screenshot? Other than that |
| Comment by Glebs Ivanovskis (Inactive) [ 2017 Sep 05 ] |
|
(6) [D] I think that https://www.zabbix.com/documentation/3.0/manual/installation/upgrade_notes_3011 should mention that before this change Zabbix was requiring PLAIN authentication mechanism and now libcurl may decide on it's own which mechanism among supported by SMTP server to choose. With parameters Zabbix passes to libcurl it effectively means choosing between PLAIN and LOGIN on most occasions. This is enough to enable Zabbix operation with Office 365 and should be enough for Gmail provided that "less secure apps" are allowed. martins-v Added for 3.0.11. Please review. glebs.ivanovskis Looks good! Regarding "less secure apps" we can point users to Google Support but I don't know where would be the most suitable place for it. Would be odd to write Zabbix and Gmail integration guide in Upgrade notes. martins-v Thanks, also added to:
RESOLVED glebs.ivanovskis Cool! |
