Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancement suggestion: TLS support and authenticated mail #1564

Open
rseichter opened this issue Oct 21, 2018 · 14 comments
Open

Enhancement suggestion: TLS support and authenticated mail #1564

rseichter opened this issue Oct 21, 2018 · 14 comments
Labels
feature-request needs-volunteers rn:server

Comments

@rseichter
Copy link

Superseding issue #453, which surprisingly has been open for four years:

In many environments it is a requirement these days to send email using TLS, often using port 587 (submission) instead of 25.

Once implemented, new settings should be introduced so as not to break existing configurations:

<smtp_server_enhanced>
    <!-- Allow IPv4, IPv6 or hostnames
    <address>127.0.0.1</address>
    <address>[::1]</address>
    -->
    <address>smtp.example.com</address>
    <!-- optional, default 25 -->
    <port>587</port>
    <!-- optional, no defaults -->
    <tls_cert>/path/to/cert.pem</tls_cert>
    <tls_key>/path/to/key.pem</tls_key>
    <username>johndoe</username>
    <password>S3CRET</password>
<smtp_server_enhanced>
@ddpbsd
Copy link
Member

ddpbsd commented Oct 22, 2018

Awesome, @rseichter . I think a lot of people would be happy for the feature.
I still think using the local smtpd to relay the mail is the best option (let the dedicated software you already have do the heavy lifting), but that doesn't seem like a popular option.
Let us know if there's anything we can do to help you get this implemented.

@ddpbsd ddpbsd mentioned this issue Oct 22, 2018
Closed
@rseichter
Copy link
Author

@ddpbsd : Sorry to curb your enthusiasm, but I filed this issue as an enhancement suggestion only. I have only recently started looking into OSSEC, and currently have no plans to implement TLS support myself. I'd regret if I inadvertently fooled people.

As for using a local smtpd: I maintain machines that don't have an MTA for policy reasons. In other cases, I'd like to use the sendmail binary, but I as far as I can tell OSSEC does not yet support this?

@rseichter rseichter changed the title Enhancement: TLS support and authenticated mail Enhancement suggestion: TLS support and authenticated mail Oct 22, 2018
@ddpbsd
Copy link
Member

ddpbsd commented Oct 22, 2018

Weird, I thought all unixy systems came with an smtpd, and have for a while.
OpenSMTPd is pretty simple and light.
I think using a sendmail binary is supposed to work, but it seems to be undocumented and I've never tried it.

@rseichter
Copy link
Author

I wrote "don't have an MTA for policy reasons". 😉 A dedicated database server, to name just one example, does not need to send or receive mail, so not installing an MTA (or any other software not required for the server's purpose) is a common security measure.

@ddpbsd
Copy link
Member

ddpbsd commented Oct 23, 2018

We can agree to disagree. I won't muddle this issue anymore.
To get this feature, we need someone to write the patch and submit a pull request.
They should also be willing to maintain the feature in the future.

@dan24678
Copy link

dan24678 commented Jan 8, 2019

@ddpbsd - Are you able to give me more information on your statement that "using a sendmail binary is supposed to work, but it seems to be undocumented"? I'm not familiar enough with C to be able to go into the source and figure out how to get this to work.

My servers are configured with nullmailer and mailx which forwards email to a SaaS-based email provider. So if OSSEC supported Username/Password for SMTP, I'd be good. Or, if it supported injection directly to /usr/bin/mail (which I am using nullmailer to proxy to the SaaS provider) then I would also be good.

You seem to suggest that the second option might actually work but there are some hidden, undocumented config settings I'd need?

@ddpbsd
Copy link
Member

ddpbsd commented Jan 8, 2019

@DrLongGhost https://github.com/ossec/ossec-hids/blob/master/src/os_maild/sendmail.c#L59
If smtpserver is set to something that starts with / it maild will use that binary to send mail. That's all I know, I've never needed to resort to it.

@dan24678
Copy link

dan24678 commented Jan 9, 2019

@ddpbsd - Thanks for the info. I'd thought that might be how it works.

I tried it and when I change <smtp_server> to /usr/bin/mail, nothing happens. There is no email sent and no errors in any logs anywhere indicating why it failed. I assume it's failing simply because sendmail/mailx is not an actual mail server so it was never going to work, but I'm not all that clear on the particulars of SMTP to say for sure.

On the plus side, I did realize that I can relatively easily push the alert logs to CloudWatch on AWS and generate alerts there, so that's likely my path forward. I would prefer if the more robust email options described in this feature request existed, but at least I can get OSSEC working for me in the meantime. Thanks for your help!

@ddpbsd
Copy link
Member

ddpbsd commented Jan 9, 2019

@DrLongGhost There is more information in pull request #689

@dan24678
Copy link

@ddpbsd - Thanks for that link. I actually got email injection working!

I ended up having to fix several issues:

  • I needed to set <email_alert_level>1</email_alert_level> so that my test events would actually trigger an email. This is probably why I wasn't seeing anything in the logs.
  • In my particular setup (using nullmailer instead of postfix) this was the config that worked for me:
<global>
    <email_notification>yes</email_notification>
    <email_to>[email protected]</email_to>
    <email_from>[email protected]</email_from>
    <smtp_server>/usr/bin/nullmailer-inject -f [email protected]</smtp_server>
  </global>

This let me inject into the nullmailer queue and nullmailer then takes the email and forwards it on to my email SaaS provider (via, I believe, authenticated, secure SMTP).

Thanks again for the links!

@cschwaderer
Copy link

cschwaderer commented May 28, 2019
edited
Loading

Back to the original topic, I'd like to stress that I'd really appreciate that feature! I think, running a local mail server (or something similar) as a relay or whatever is somewhat annoying and maybe could be considered as outdated. It is so much more convenient to configure one "real" mail server with everything you need, set-up an internal account on that mail server for sending out notification emails, and then from every machine which needs to send emails, authenticate on your remote server and you are done. Way better than fiddling around on every machine with postfix, sendmail, ssmtp, several layers of relays, mailutils, and whatnot.

For many ecosystems, there are ready to use libraries/tools out there. For example, for Node.js there is emailjs and there is also the nice python command line tool smtp-cli

@ddpbsd
Copy link
Member

ddpbsd commented May 28, 2019

@cschwaderer It's on my list (despite the fact that using ansible to install opensmtpd seems like the better solution), but the list is long. What can I do to help you get started on adding these features?

@rseichter
Copy link
Author

@ddpbsd Given that "Copyright (C) 2019 Trend Micro Inc." is shown in the first line of the README, would it be possible to secure financial sponsorship for adding this feature (as in some commercial entity providing me with an incentive to spend my time developing it)?

@ddpbsd
Copy link
Member

ddpbsd commented May 28, 2019

@rseichter You'd have to talk to Trend. They basically have nothing to do with the project AFAIK.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request needs-volunteers rn:server
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dan24678 @ddpbsd @cschwaderer @rseichter