In this tutorial, you will learn how to check IMAP/SMTP/POP3 SSL/TLS Certificate Expiry with Nagios. Nagios can be configured to monitor and alert on the expiry of the SSL/TLS.
Check IMAP/SMTP/POP3 SSL/TLS Certificate Expiry with Nagios
Install and Setup Nagios
If you have not installed and setup Nagios, follow the link below to set it up.
How to Install Nagios Server on Debian 11
Create Nagios Script to Check IMAP/SMTP/POP3 SSL/TLS Certificate Expiry
By default, Nagios usually ships with plugins that can be used to query and get the status of the most services/system metrics. These plugins are located on varied locations depending on how you installed Nagios.
If you did install Nagios from the system repositories using a package manager, then most likely the plugins are located under;
ls /usr/lib/nagios/pluginscheck_apt check_dhcp check_flexlm check_icmp check_jabber check_mrtgtraf check_nt check_pgsql check_rta_multi check_ssmtp check_wave check_breeze check_dig check_fping check_ide_smart check_ldap check_mysql check_ntp check_ping check_sensors check_swap negate check_by_ssh check_disk check_ftp check_ifoperstatus check_ldaps check_mysql_query check_ntp_peer check_pop check_simap check_tcp urlize check_clamd check_disk_smb check_game check_ifstatus check_load check_nagios check_ntp_time check_procs check_smtp check_time utils.pm check_cluster check_dns check_host check_imap check_log check_nntp check_nwstat check_radius check_snmp check_udp utils.sh check_curl check_dummy check_hpjd check_imap_pop_smtp check_mailq check_nntps check_oracle check_real check_spop check_ups check_dbi check_file_age check_http check_ircd check_mrtg check_nrpe check_overcr check_rpc check_ssh check_users
Howerver, in some cases you may not find a script that does what you want. In that case, you need then to develop your own custom script.
In this tutorial, we have created our own script to check IMAP/SMTP/POP3 SSL/TLS certificate expiry date and place it under the plugins directory as /usr/lib/nagios/plugins/check_mail_ssl.
You can install this script by copying and running this command on the terminal;
cat > /usr/lib/nagios/plugins/check_mail_ssl << 'EOL'
#!/bin/bash
## Usage example: ./check_ssl_cert_expiry -h -p -w 90 -c 60
## -h = mail server domain or IP
## -p = mail server port: 995/25/993
## -w = integer number (Warning days)
## -c = integer number (Critical days)
#
# Requirement : bc command should be installed.
#
HOST=""
PORT=""
WARN_DAYS=""
CRIT_DAYS=""
printHelp () {
echo "Usage: ${0} -h -p -w -c "
exit 0
}
while getopts "h:p:w:c:" options
do
case $options in
h ) HOST=$OPTARG;;
p ) PORT=$OPTARG;;
w ) WARN_DAYS=$OPTARG;;
c ) CRIT_DAYS=$OPTARG;;
esac
done
if [ ! "$HOST" ]
then
echo "ERROR: No mail server host domain or IP specified."
printHelp
exit 3
fi
if [ ! "$PORT" ]
then
echo "ERROR: No mail server port specified."
printHelp
exit 3
fi
if [ ! "$WARN_DAYS" ]
then
echo "ERROR: No certificate warning days specified."
printHelp
exit 3
fi
if [ ! "$CRIT_DAYS" ]
then
echo "ERROR: No certificate critical days specified."
printHelp
exit 3
fi
##
if [ "$PORT" -eq 25 ] || [ "$PORT" -eq 587 ] || [ "$PORT" -eq 2525 ]; then
EXPIRY_DATE=`echo "EXIT" | openssl s_client -starttls smtp -showcerts -connect $HOST:$PORT -servername $HOST 2>/dev/null | openssl x509 -enddate -noout | awk -F '=' '{print $NF}'`
elif [ "$PORT" -eq 110 ]; then
EXPIRY_DATE=`echo "EXIT" | openssl s_client -starttls pop3 -showcerts -connect $HOST:$PORT -servername $HOST 2>/dev/null | openssl x509 -enddate -noout | awk -F '=' '{print $NF}'`
elif [ "$PORT" -eq 143 ]; then
EXPIRY_DATE=`echo "EXIT" | openssl s_client -starttls imap -showcerts -connect $HOST:$PORT -servername $HOST 2>/dev/null | openssl x509 -enddate -noout | awk -F '=' '{print $NF}'`
else
EXPIRY_DATE=`echo "EXIT" | openssl s_client -showcerts -connect $HOST:$PORT -servername $HOST 2>/dev/null | openssl x509 -enddate -noout | awk -F '=' '{print $NF}'`
fi
##
if [ "$PORT" -eq 25 ] || [ "$PORT" -eq 587 ] || [ "$PORT" -eq 2525 ] || [ "$PORT" -eq 465 ]; then
SVC="SMTP"
elif [ "$PORT" -eq 143 ] || [ "$PORT" -eq 993 ]; then
SVC="IMAP"
elif [ "$PORT" -eq 110 ] || [ "$PORT" -eq 995 ]; then
SVC="POP3"
fi
##
EXPIRY_DATE_SEC=`date -d "$EXPIRY_DATE" "+%s"`
CURRENT_DATE_SEC=`date "+%s"`
EXPIRY_DAYS=`echo "($EXPIRY_DATE_SEC - $CURRENT_DATE_SEC)/(86400)" | bc`
if [ "$EXPIRY_DAYS" -gt "$WARN_DAYS" ]; then
echo "SSL OK: Mail server, $HOST, $SVC certificate will expire on $EXPIRY_DATE, $EXPIRY_DAYS days left."
exit 0;
elif [ "$EXPIRY_DAYS" -le "$WARN_DAYS" ] && [ "$EXPIRY_DAYS" -ge "$CRIT_DAYS" ]; then
echo "SSL WARNING: Mail server, $HOST, $SVC certificate will expire on $EXPIRY_DATE, $EXPIRY_DAYS days left."
exit 1;
elif [ "$EXPIRY_DAYS" -lt "$CRIT_DAYS" ] && [ "$CRIT_DAYS" -ge "1" ]; then
echo "SSL CRITICAL: Mail server, $HOST, $SVC certificate will expire on $EXPIRY_DATE, $EXPIRY_DAYS days left."
exit 2;
elif [ "$EXPIRY_DAYS" -lt "$CRIT_DAYS" ] && [ "$CRIT_DAYS" -lt "1" ]; then
echo "SSL CRITICAL: Mail server, $HOST, $SVC certificate expired on $EXPIRY_DATE."
exit 2;
fi
EOL
The script requires basic calculator, bc tool, hence install this tool using your respective system package manager.
apt install bcdnf install bcNext, make the script executable;
chmod +x /usr/lib/nagios/plugins/check_mail_sslBelow is the script command line syntax;
./check_mail_ssl -h <host> -p <port> -w <warn days> -c <critical days>Where:
-h = mail server domain or IP
-p = mail server port: 995/110|587/465/25|993/143/<POP3/smtp/IMAP>
-w = integer number (Warning days)
-c = integer number (Critical days)Let us run the script to test the functionality, using smtp.itnixpro.com, against all possible ports;
for i in 25 110 143 587 993 995; do /usr/lib/nagios/plugins/check_mail_ssl -h smtp.itnixpro.com -p $i -w 30 -c 5; doneSample Output;
SSL OK: Mail server, smtp.itnixpro.com, SMTP certificate will expire on Oct 23 23:59:59 2022 GMT, 333 days left. SSL OK: Mail server, smtp.itnixpro.com, POP3 certificate will expire on Oct 23 23:59:59 2022 GMT, 333 days left. SSL OK: Mail server, smtp.itnixpro.com, IMAP certificate will expire on Oct 23 23:59:59 2022 GMT, 333 days left. SSL OK: Mail server, smtp.itnixpro.com, SMTP certificate will expire on Oct 23 23:59:59 2022 GMT, 333 days left. SSL OK: Mail server, smtp.itnixpro.com, IMAP certificate will expire on Oct 23 23:59:59 2022 GMT, 333 days left. SSL OK: Mail server, smtp.itnixpro.com, POP3 certificate will expire on Oct 23 23:59:59 2022 GMT, 333 days left.
Define Nagios Command to Check IMAP/SMTP/POP3 SSL/TLS Certificate Expiry
Once you have setup Nagios, you need to define a command that is used to query the mail server IMAP/SMTP/POP3 SSL/TLS certificate to find the expiry date.
In our setup, we have put most of our configuration files under the directory, /etc/nagios4/objects/itnixpro/.
ls -1 /etc/nagios4/objects/itnixpro/commands.cfg
hostgroup.cfg
hosts.cfg
hosts-services.cfg
hosts-service-template.cfg
itnixpro-contacts.cfgTo begin with, create a definition of a command that can be used to query the SSL/TLS certificate expiry date.
We will place the command configuration in commands.cfg file.
vim /etc/nagios4/objects/itnixpro/commands.cfg# Check Mail Server IMAP/SMTP/POP SSL/TLS Expiry date
define command {
command_name check_mailserver_ssl
command_line /usr/lib/nagios/plugins/check_mail_ssl -h $HOSTADDRESS$ -p $ARG1$ -w $ARG2$ -c $ARG3$
}
Save and exit the file
Add the Mail Server Host to Nagios
Next, add the mail server host to monitor to Nagios. We use hosts.cfg file in our setup.
vim /etc/nagios4/objects/itnixpro/hosts.cfgdefine host {
use itnixpro-hosts
host_name smtp.itnixpro.com
address smtp.itnixpro.com
}Save and exit the file.
Define the Service Configuration for Ports to Monitor
You then need to define the services for the respective ports to monitor SSL/TLS certs on;
vim /etc/nagios4/objects/itnixpro/hosts-services.cfgExample Service definition for IMAP/SMTP/POP3
define service {
use itnixpro-service
host_name smtp.itnixpro.com
service_description IMAP_SSL_Expiry_Status
check_command check_mailserver_ssl!993!10!5
}
define service {
use itnixpro-service
host_name smtp.itnixpro.com
service_description SMTP_SSL_Expiry_Status
check_command check_mailserver_ssl!587!10!5
}
define service {
use itnixpro-service
host_name smtp.itnixpro.com
service_description POP3_SSL_Expiry_Status
check_command check_mailserver_ssl!995!10!5
}
Where:
- check_command specifies the command to use, check_mailserver_ssl in this case.
- !993!10!5 specifies the port, warn days, and critical days.
Check Nagios Configuration Syntax
The configs above are enough to IMAP/SMTP/POP3 SSL/TLS Certificate Expiry.
Thus, once you are done, run the command below to check if any syntax or configuration error on Nagios configs.
nagios4 -v /etc/nagios4/nagios.cfgSample output;
Nagios Core 4.4.6 Copyright (c) 2009-present Nagios Core Development Team and Community Contributors Copyright (c) 1999-2009 Ethan Galstad Last Modified: 2020-04-28 License: GPL Website: https://www.nagios.org Reading configuration data... Read main config file okay... Read object config files okay... Running pre-flight check on configuration data... Checking objects... Checked 11 services. Checked 2 hosts. Checked 1 host groups. Checked 0 service groups. Checked 3 contacts. Checked 2 contact groups. Checked 182 commands. Checked 5 time periods. Checked 0 host escalations. Checked 0 service escalations. Checking for circular paths... Checked 2 hosts Checked 0 service dependencies Checked 0 host dependencies Checked 5 timeperiods Checking global event handlers... Checking obsessive compulsive processor commands... Checking misc settings... Total Warnings: 0 Total Errors: 0 Things look okay - No serious problems were detected during the pre-flight check
Restart Nagios Service
Ensure the command above prints no error. If any error, fix before you can proceed.
If all is well, run the command below to restart Nagios service.
systemctl restart nagios4Check Host and Service Status
Next, login to Nagios Web interface and check the status;
And that is how you can easily check IMAP/SMTP/POP3 SSL/TLS certificate expiry with Nagios.
