Alert email problems

Community Containers
1

Without authentication email alerts work when sent in cleartext, but authentication is required by policy. The combination of no authentication but with STARTTLS does not work.

When using MTA_AUTH=on or MTA_STARTTLS=on I get:
Testing the alert alert-task-done failed. Internal error.

In the logs:

The alert alert-task-done was triggered (Event: Task status changed to 'Done', Condition: Always)
md manage:WARNING:2023-08-03 09h12.30 UTC:86: email: system failed with ret 17664, 69, read FROM TO < /tmp/gvmd-args-lSzTuJ; /usr/sbin/sendmail -f "$FROM" "$TO" < /tmp/gvmd-content-xQ1cfJ > /dev/null 2>&1

I can see that greenbone sends EHLO and the mail server responds, but then greenbone closes the connection.

gvmd:
    image: greenbone/gvmd:stable
    environment:
      - MTA_HOST=mail.mynet.org
      - MTA_PORT=25
      - MTA_TLS=off
      - MTA_STARTTLS=off
      - MTA_AUTH=on
      - MTA_USER=me
      - MTA_FROM=me@mynet.org
      - MTA_PASSWORD=redacted

The mail server is quiet about this.

Note: I disabled STARTTLS to be able to see what is exchanged between greenbone and the mail server. I also tried with MTA_STARTTLS=on and the TLS tunnel is successfully established after EHLO, but the mail sending also does not work - like without STARTTLS.

What is going wrong? What do I need to change?

2

Note:

1 Like
3

I suppose that user is also on this forum (@Castor), it would be great if they could chime in.

1 Like
4

Hello, @trike !
MTA inside container is being configured with simple echoing config lines to config file. Your environment variables are converted to such a config:

host mail.mynet.org
port 25
tls off
tls_starttls off
auth on
user me
from me@mynet.org
password redacted

You can try install MSTMP package locally, put config above to /etc/msmtprc and send messages via sendmail pipe like it is done inside a GVMD container:

echo -e "Subject: this is the subject\n\nthis is the body" > /tmp/gvmd-content-uNIuIC
/usr/sbin/sendmail -f "me@mynet.org" some-target-mail@some.domain < /tmp/gvmd-content-uNIuIC
1 Like
5

I tested it within the gvmd container with the config shown above and it throws:

sendmail: cannot use a secure authentication method
sendmail: could not send mail (account default from /etc/msmtprc)

when using STARTTLS and no authentication:

sendmail: TLS certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.

The reason is that I am using my own internal CA. with postfix that has necer been a problem, but MSTMP seems to want to verify the certificate chain of the postfix certificate. Is there a way to diable this check or can you create a way to bring the root CA certificate into the container and make STMP use it?

6

Could you try it on local machine to exclude dependency lack in container?

7

sorry, not feasible. But I found the problem with TLS, see above.

8

the quickest hostfix would be to add a variable:

tls_certcheck (on|off)

I tested this in the container and then it sends the email, also authentication then works

9

Oh, corporate PKIs are always a headache :slight_smile:
You can mount CA-chain to the container - then your server will be trusted and no fixes will be needed.

I will add some more options to the script but cannot predict timing.

1 Like
10

please elaborate with detail, I dont know how to do it as I dont know the pathes that need mapping and the file names that are expected.

11

It depends on your environment. You have to make a little research.
I use something like this for Ubuntu containers running on RedHat hosts:

    volumes:
      - /etc/ssl/cert.pem:/etc/ssl/certs/ca-certificates.crt:ro
2 Likes
12

Thank you, that has worked for me. As a courtesy to those with the same issue, this is what I did on a Debian host:

  • cp rootca.crt /usr/local/share/ca-certificates
  • update-ca-certificates
  • added in docker-compose.yml under gvmd volumes:
    - /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro
2 Likes