[ZBXNEXT-679] SMTP authentication support Created: 2007 Sep 01  Updated: 2016 Jun 02  Resolved: 2015 Oct 23

Status: Closed
Project: ZABBIX FEATURE REQUESTS
Component/s: Documentation (D), Frontend (F), Server (S)
Affects Version/s: None
Fix Version/s: 2.5.0

Type: New Feature Request Priority: Major
Reporter: Alexei Vladishev Assignee: Unassigned
Resolution: Fixed Votes: 23
Labels: authentication, notifications, smtp
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
is duplicated by ZBXNEXT-1519 Add E-Mail Authentification to Media ... Closed
is duplicated by ZBXNEXT-872 Recognition of specified SMTP server ... Closed
is duplicated by ZBXNEXT-2058 Extend Media-Type e-Mail with Port, S... Closed
is duplicated by ZBX-6907 Configure email trigger with SSL supp... Closed
is duplicated by ZBX-9193 wrong answer on MAIL FROM [530 5.7.0 ... Closed

 Description   

Implement SMTP authentication.

http://www.zabbix.com/forum/showthread.php?t=1323

Specification: https://www.zabbix.org/wiki/Docs/specs/ZBXNEXT-679



 Comments   
Comment by Lukasz Urbaniak [ 2012 Aug 15 ]

Can we have this implemented? It will help us a lot

Comment by Raymond Kuiper [ 2012 Oct 15 ]

This will probably also need some changes in the frontend, not just server. (username/password field)
Also, authentication automatically implies some form of encryption.

NONE/STARTTLS/SSL options and ports should be available. I'd also like to see a "verify/do not verify certificate" radiobutton.

Comment by Maxim Krušina [ 2012 Nov 03 ]

IMHO this is very important feature, because lot of mail providers today simply doesnt work without smtp auth (both our isp nd gmail

Comment by Ilir [ 2015 Jan 18 ]

Looking forward to this feature as it seems very easy to implement and would complete Zabbix in a major way. Thanks everyone.

Comment by Aleksandrs Saveljevs [ 2015 May 26 ]

(1) According to (32) in ZBXNEXT-282, SSLCALocation only works when cURL is used with OpenSSL. However, http://curl.haxx.se/libcurl/c/CURLOPT_CAPATH.html no longer claims that - rather, it says that any backend works. It should be verified which cURL version introduced this support and we should fix documentation accordingly.

asaveljevs According to cURL Git repository at https://github.com/bagder/curl.git, CURLOPT_CAPATH stopped being OpenSSL-specific in version 7.42.0:

$ cat RELEASE-NOTES
Curl and libcurl 7.42.0
...
This release includes the following bugfixes:
...
 o GnuTLS: add support for CURLOPT_CAPATH
$ cat docs/libcurl/opts/CURLOPT_CAPATH.3
...
.SH AVAILABILITY
This option is supported by the OpenSSL, GnuTLS and PolarSSL backends. The NSS
backend provides the option only for backward compatibility.

In version 7.41.0, it used to say the following:

$ cat docs/libcurl/opts/CURLOPT_CAPATH.3
...
.SH AVAILABILITY
This option is OpenSSL-specific and does nothing if libcurl is built to use
GnuTLS. NSS-powered libcurl provides the option only for backward
compatibility.

asaveljevs Fixed the following pages:

RESOLVED

sasha CLOSED

Comment by Aleksandrs Saveljevs [ 2015 May 26 ]

(2) Currently, we rely on http://curl.haxx.se/libcurl/c/CURLOPT_LOGIN_OPTIONS.html for SMTP authentication support, which appeared in cURL 7.34.0. As the specification says, it should be decided whether we wish to use http://curl.haxx.se/libcurl/c/CURLOPT_USERPWD.html for cURL >= 7.31.0 and < 7.34.0.

asaveljevs Also, CURLOPT_LOGIN_OPTIONS is only required for SMTP authentication, but not for encryption. So, if a user only wishes to use encryption, but not SMTP authentication, we can lower the cURL version requirement.

wiper I don't think it's worth adding support for CURLOPT_USERPWD unless someone really needs it.
Regarding the other question - I believe we should lower version requirement for encryption and simply generate error if smtp authentication was used with libcurl version < 7.34.0

asaveljevs According to http://pkgs.org/search/libcurl , libcurl 7.32 is used in Fedora 20 and OpenSUSE 13.1. CentOS 7 uses libcurl 7.29.

asaveljevs Added support for CURLOPT_USERPWD in cURL 7.31.0 to 7.33.0 in r53882 and r53890.

asaveljevs CURLOPT_LOGIN_OPTIONS and ";AUTH=PLAIN" in CURLOPT_USERPWD are not strictly required: cURL chooses AUTH=PLAIN even if it is not explicitly specified. Therefore, we have lowered cURL version requirement in r53897 to cURL 7.20.0 (the one which has CURLOPT_MAIL_FROM and CURLOPT_MAIL_RCPT).

asaveljevs If later we add support for some other login options, we will probably print a warning for cURL < 7.31.0 that this setting is not supported. RESOLVED.

wiper Please review a small change in r53907.

asaveljevs Thank you! CLOSED.

Comment by Aleksandrs Saveljevs [ 2015 May 26 ]

Server side available for review and testing in svn://svn.zabbix.com/branches/dev/ZBXNEXT-679 . Frontend side remains to be done.

Comment by Andris Zeila [ 2015 May 28 ]

(3) [S] Consider using CURLOPT_DEBUGFUNCTION curl option to provide debug information with CURLOPT_VERBOSE. This would allow to:

  1. use zabbix log functionality to write proper log messages, instead of allowing curl write debug information directly to zabbix log file (through stderr redirection)
  2. log data received/sent which might be useful for debugging issues

asaveljevs Option documentation: http://curl.haxx.se/libcurl/c/CURLOPT_DEBUGFUNCTION.html .

asaveljevs RESOLVED in r53881. It adds smtp_debug_function(), which seems to do the same as cURL's default verbose logging function (see Curl_debug() and showit() in lib/sendf.c).

wiper CLOSED

Comment by Andris Zeila [ 2015 Jun 01 ]

Database upgrade and server side SMTP authentication/encryption support successfully tested.

Comment by Oleg Egorov (Inactive) [ 2015 Jun 03 ]

(4) [F] Finished frontend side in r53887, 53905, r53924

And please see before testing:
https://support.zabbix.com/browse/ZBXNEXT-2357 (10)

iivs CLOSED.

Comment by Ivo Kurzemnieks [ 2015 Jun 05 ]

(5) Translation strings?

oleg.egorov
New strings:

  • Connection security
  • STARTTLS
  • SSL/TLS
  • Normal password

RESOLVED

iivs CLOSED.

<richlv> there seems to be at least one unlisted new string :

  • Incorrect media type port "%1$s" provided.
    and at least one change:
  • msgid "Media type \"%s\" already exists."
    + msgid "Media type \"%1$s\" already exists

iivs This is true, translation strings removed:

  • Media type "%s" already exists.

and few translation strings added:

  • Media type "%1$s" already exists.
  • Incorrect media type port "%1$s" provided.

CLOSED.

Comment by Ilir [ 2015 Jun 06 ]

Sorry for the (possibly) stupid question but when is this expected to be released? Is there any way we can patch it in now?

Thanks!

-Ilir

Comment by richlv [ 2015 Jun 06 ]

it's scheduled for zabbix 3.0

Comment by Ivo Kurzemnieks [ 2015 Jun 08 ]

(6) [F] As discussed: If "Connection security" is set to "None", then "SSL verify peer" and "SSL verify host" checkboxes should not be visible and if "Authentication" is set to "None", then "User" and "Password" fields should not be visible.

oleg.egorov RESOLVED IN r54018

iivs Just like in other forms when switching type in items, for example, the filled fields remain untouched, but in media types they are still cleared. Let's just hide them and clear upon save.

REOPENED.

oleg.egorov And as was discusses with sasha. CLOSED

Comment by Ivo Kurzemnieks [ 2015 Jun 08 ]

(7) Please update to latest trunk and resolve conflicting code do to coding style changes array(); => [];

oleg.egorov Updated to the latest trunk r54008. RESOLVED

iivs CLOSED.

Comment by Ivo Kurzemnieks [ 2015 Jun 08 ]

(8) [F] "Each API method must have it's own validation method. The validation method must be called “validate” followed by the name of the method. For example, the method for validating the create() method must be called validateCreate()."
Please see documentation: https://documentation.zabbix.lan/internal/development_guidelines/api/validation?s[]=validatecreate

There is a good validation that can be re-used from svn://svn.zabbix.com/branches/dev/ZBXNEXT-2033_244
In future the code will more consistent and it will be easier to implement new functionality in other branches.
Also check create and update method function and parameter descriptions.

oleg.egorov RESOLVED IN r54029

iivs As discussed, add better API validation for new fields.

REOPENED.

oleg.egorov And as was discusses with sasha. CLOSED

Comment by Ivo Kurzemnieks [ 2015 Jun 08 ]

(9) [F] When I enter a very large port number via API, I get error: Incorrect API message "Incorrect media type port \"\" provided.". Also API does not properly validate new checkbox fields allowing to enter any numeric value, thus potentially breaking something in frontend.

oleg.egorov RESOLVED IN r54015

iivs CLOSED.

Comment by Ivo Kurzemnieks [ 2015 Jun 08 ]

(10) [F] Fatal error occurs when no port is provided in frontend. To avoid this, we could use CNumericBox instead of CTextBox.

oleg.egorov RESOLVED IN r54015

iivs CLOSED.

Comment by Ivo Kurzemnieks [ 2015 Jun 08 ]

(11) [F] Coding style and other improvements:

  • administration.mediatype.edit.php:
    • Lines 65, 70, 75, 82, 86 parenthesis are not required
    • Line 99: overflow
  • administration.mediatype.edit.js.php:
    • Line 13: typo -> should probably be "radio button actions"
    • Bad JS function names that do actions. Function name should describe that it turn something on and off. Something like toggleSecurityOptions() and
      toggleAuthenticationOptions().
  • CMediatype.php:
    • Lines 240, 271: missing dot.
    • Line 243-257, 272-288: add parameter description
    • Line 258: return type is array
    • Line 289: missing extra space
    • Line 232 use "%1$s" instead of "%s"
    • Lines 225, 230 use array_key_exists instead of isset
    • Lines 203, 223: instead of in_array() for only two types use ||
    • Lines 195, 204: use API::getApiService()->select instead of $this->get, we have already validated that we are superadmin and fields.
    • Lines 197, 207: output should be the first option
    • Line 223: missing space after if

oleg.egorov RESOLVED IN r54029

iivs Thanks! See my changes in r54252

oleg.egorov CLOSED

Comment by Ivo Kurzemnieks [ 2015 Jul 02 ]

TESTED,
but close (11) before merging.

Comment by Oleg Egorov (Inactive) [ 2015 Jul 02 ]

Implemented in 2.5.0(trunk) r54263

Comment by richlv [ 2015 Jul 28 ]

(13) documentation

what else ?

martins-v Updated documentation:

Please review. RESOLVED.

sasha

REOPENED

martins-v Thanks, RESOLVED.

sasha Thanks! CLOSED

Comment by Oleksii Zagorskyi [ 2016 Jun 02 ]

zabbix API doc for new field was not updated, requested in ZBX-10870

Generated at Fri Mar 29 04:21:29 EET 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.