Alert email problems

Without authentication email alerts work when sent in cleartext, but authentication is required by policy. The combination of no authentication but with STARTTLS does not work.

When using MTA_AUTH=on or MTA_STARTTLS=on I get:
Testing the alert alert-task-done failed. Internal error.

In the logs:

The alert alert-task-done was triggered (Event: Task status changed to 'Done', Condition: Always)
md manage:WARNING:2023-08-03 09h12.30 UTC:86: email: system failed with ret 17664, 69, read FROM TO < /tmp/gvmd-args-lSzTuJ; /usr/sbin/sendmail -f "$FROM" "$TO" < /tmp/gvmd-content-xQ1cfJ > /dev/null 2>&1

I can see that greenbone sends EHLO and the mail server responds, but then greenbone closes the connection.

    image: greenbone/gvmd:stable
      - MTA_PORT=25
      - MTA_TLS=off
      - MTA_STARTTLS=off
      - MTA_AUTH=on
      - MTA_USER=me
      - MTA_PASSWORD=redacted

The mail server is quiet about this.

Note: I disabled STARTTLS to be able to see what is exchanged between greenbone and the mail server. I also tried with MTA_STARTTLS=on and the TLS tunnel is successfully established after EHLO, but the mail sending also does not work - like without STARTTLS.

What is going wrong? What do I need to change?


1 Like

I suppose that user is also on this forum (@Castor), it would be great if they could chime in.

1 Like

Hello, @trike !
MTA inside container is being configured with simple echoing config lines to config file. Your environment variables are converted to such a config:

port 25
tls off
tls_starttls off
auth on
user me
password redacted

You can try install MSTMP package locally, put config above to /etc/msmtprc and send messages via sendmail pipe like it is done inside a GVMD container:

echo -e "Subject: this is the subject\n\nthis is the body" > /tmp/gvmd-content-uNIuIC
/usr/sbin/sendmail -f "" some-target-mail@some.domain < /tmp/gvmd-content-uNIuIC
1 Like

I tested it within the gvmd container with the config shown above and it throws:

sendmail: cannot use a secure authentication method
sendmail: could not send mail (account default from /etc/msmtprc)

when using STARTTLS and no authentication:

sendmail: TLS certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.

The reason is that I am using my own internal CA. with postfix that has necer been a problem, but MSTMP seems to want to verify the certificate chain of the postfix certificate. Is there a way to diable this check or can you create a way to bring the root CA certificate into the container and make STMP use it?

Could you try it on local machine to exclude dependency lack in container?

sorry, not feasible. But I found the problem with TLS, see above.

the quickest hostfix would be to add a variable:

tls_certcheck (on|off)

I tested this in the container and then it sends the email, also authentication then works

Oh, corporate PKIs are always a headache :slight_smile:
You can mount CA-chain to the container - then your server will be trusted and no fixes will be needed.

I will add some more options to the script but cannot predict timing.

1 Like

please elaborate with detail, I dont know how to do it as I dont know the pathes that need mapping and the file names that are expected.

It depends on your environment. You have to make a little research.
I use something like this for Ubuntu containers running on RedHat hosts:

      - /etc/ssl/cert.pem:/etc/ssl/certs/ca-certificates.crt:ro

Thank you, that has worked for me. As a courtesy to those with the same issue, this is what I did on a Debian host:

  • cp rootca.crt /usr/local/share/ca-certificates
  • update-ca-certificates
  • added in docker-compose.yml under gvmd volumes:
    - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro