Check IMAP/SMTP/POP3 SSL/TLS Certificate Expiry with Nagios

In this tutorial, you will learn how to check IMAP/SMTP/POP3 SSL/TLS Certificate Expiry with Nagios. Nagios can be configured to monitor and alert on the expiry of the SSL/TLS.

Check IMAP/SMTP/POP3 SSL/TLS Certificate Expiry with Nagios

Install and Setup Nagios

If you have not installed and setup Nagios, follow the link below to set it up.

How to Install Nagios Server on Debian 11

Create Nagios Script to Check IMAP/SMTP/POP3 SSL/TLS Certificate Expiry

By default, Nagios usually ships with plugins that can be used to query and get the status of the most services/system metrics. These plugins are located on varied locations depending on how you installed Nagios.

If you did install Nagios from the system repositories using a package manager, then most likely the plugins are located under;

ls /usr/lib/nagios/plugins
check_apt      check_dhcp      check_flexlm  check_icmp		  check_jabber	check_mrtgtraf	   check_nt	   check_pgsql	 check_rta_multi  check_ssmtp  check_wave
check_breeze   check_dig       check_fping   check_ide_smart	  check_ldap	check_mysql	   check_ntp	   check_ping	 check_sensors	  check_swap   negate
check_by_ssh   check_disk      check_ftp     check_ifoperstatus   check_ldaps	check_mysql_query  check_ntp_peer  check_pop	 check_simap	  check_tcp    urlize
check_clamd    check_disk_smb  check_game    check_ifstatus	  check_load	check_nagios	   check_ntp_time  check_procs	 check_smtp	  check_time   utils.pm
check_cluster  check_dns       check_host    check_imap		  check_log	check_nntp	   check_nwstat    check_radius  check_snmp	  check_udp    utils.sh
check_curl     check_dummy     check_hpjd    check_imap_pop_smtp  check_mailq	check_nntps	   check_oracle    check_real	 check_spop	  check_ups
check_dbi      check_file_age  check_http    check_ircd		  check_mrtg	check_nrpe	   check_overcr    check_rpc	 check_ssh	  check_users

Howerver, in some cases you may not find a script that does what you want. In that case, you need then to develop your own custom script.

In this tutorial, we have created our own script to check IMAP/SMTP/POP3 SSL/TLS certificate expiry date and place it under the plugins directory as /usr/lib/nagios/plugins/check_mail_ssl.

You can install this script by copying and running this command on the terminal;

cat > /usr/lib/nagios/plugins/check_mail_ssl << 'EOL'
#!/bin/bash
## Usage example: ./check_ssl_cert_expiry -h  -p  -w 90 -c 60
## -h = mail server domain or IP
## -p = mail server port: 995/25/993
## -w = integer number (Warning days)
## -c = integer number (Critical days)
#
# Requirement : bc command should be installed.
#

HOST=""
PORT=""
WARN_DAYS=""
CRIT_DAYS=""

printHelp () {
	echo "Usage: ${0} -h  -p  -w  -c "
	exit 0
}

while getopts "h:p:w:c:" options
do
	case $options in
		h ) HOST=$OPTARG;;
		p ) PORT=$OPTARG;;
		w ) WARN_DAYS=$OPTARG;;
		c ) CRIT_DAYS=$OPTARG;;
	esac
done

if [ ! "$HOST" ]
then
	echo "ERROR: No mail server host domain or IP specified."
	printHelp
	exit 3
fi

if [ ! "$PORT" ]
then
	echo "ERROR: No mail server port specified."
	printHelp
	exit 3
fi

if [ ! "$WARN_DAYS" ]
then
	echo "ERROR: No certificate warning days specified."
	printHelp
	exit 3
fi

if [ ! "$CRIT_DAYS" ]
then
	echo "ERROR: No certificate critical days specified."
	printHelp
	exit 3
fi
##
if [ "$PORT" -eq 25 ] || [ "$PORT" -eq 587 ] || [ "$PORT" -eq 2525 ]; then
	EXPIRY_DATE=`echo "EXIT" | openssl s_client -starttls smtp -showcerts -connect $HOST:$PORT -servername $HOST 2>/dev/null | openssl x509 -enddate -noout | awk -F '=' '{print $NF}'`
elif [ "$PORT" -eq 110 ]; then
	EXPIRY_DATE=`echo "EXIT" | openssl s_client -starttls pop3 -showcerts -connect $HOST:$PORT -servername $HOST 2>/dev/null | openssl x509 -enddate -noout | awk -F '=' '{print $NF}'`
elif [ "$PORT" -eq 143 ]; then
	EXPIRY_DATE=`echo "EXIT" | openssl s_client -starttls imap -showcerts -connect $HOST:$PORT -servername $HOST 2>/dev/null | openssl x509 -enddate -noout | awk -F '=' '{print $NF}'`
else
	EXPIRY_DATE=`echo "EXIT" | openssl s_client -showcerts -connect $HOST:$PORT -servername $HOST 2>/dev/null | openssl x509 -enddate -noout | awk -F '=' '{print $NF}'`
fi
##
if [ "$PORT" -eq 25 ] || [ "$PORT" -eq 587 ] || [ "$PORT" -eq 2525 ] || [ "$PORT" -eq 465 ]; then
	SVC="SMTP"
elif [ "$PORT" -eq 143 ] || [ "$PORT" -eq 993 ]; then
	SVC="IMAP"
elif [ "$PORT" -eq 110 ] || [ "$PORT" -eq 995 ]; then
	SVC="POP3"
fi
##
EXPIRY_DATE_SEC=`date -d "$EXPIRY_DATE" "+%s"`
CURRENT_DATE_SEC=`date "+%s"`
EXPIRY_DAYS=`echo "($EXPIRY_DATE_SEC - $CURRENT_DATE_SEC)/(86400)" | bc`

if [ "$EXPIRY_DAYS" -gt "$WARN_DAYS" ]; then
    echo "SSL OK: Mail server, $HOST, $SVC certificate will expire on $EXPIRY_DATE, $EXPIRY_DAYS days left."
    exit 0;
elif [ "$EXPIRY_DAYS" -le "$WARN_DAYS" ] && [ "$EXPIRY_DAYS" -ge "$CRIT_DAYS" ]; then
    echo "SSL WARNING: Mail server, $HOST, $SVC certificate will expire on $EXPIRY_DATE, $EXPIRY_DAYS days left."
    exit 1;
elif [ "$EXPIRY_DAYS" -lt "$CRIT_DAYS" ] && [ "$CRIT_DAYS" -ge "1" ]; then
    echo "SSL CRITICAL: Mail server, $HOST, $SVC certificate will expire on $EXPIRY_DATE, $EXPIRY_DAYS days left."
    exit 2;
elif [ "$EXPIRY_DAYS" -lt "$CRIT_DAYS" ] && [ "$CRIT_DAYS" -lt "1" ]; then
    echo "SSL CRITICAL: Mail server, $HOST, $SVC certificate expired on $EXPIRY_DATE."
    exit 2;
fi
EOL

The script requires basic calculator, bc tool, hence install this tool using your respective system package manager.

apt install bc
dnf install bc

Next, make the script executable;

chmod +x /usr/lib/nagios/plugins/check_mail_ssl

Below is the script command line syntax;

./check_mail_ssl -h <host> -p <port> -w <warn days> -c <critical days>

Where:

-h = mail server domain or IP
-p = mail server port: 995/110|587/465/25|993/143/<POP3/smtp/IMAP>
-w = integer number (Warning days)
-c = integer number (Critical days)

Let us run the script to test the functionality, using smtp.itnixpro.com, against all possible ports;

for i in 25 110 143 587 993 995; do /usr/lib/nagios/plugins/check_mail_ssl -h smtp.itnixpro.com -p $i -w 30 -c 5; done

Sample Output;

SSL OK: Mail server, smtp.itnixpro.com, SMTP certificate will expire on Oct 23 23:59:59 2022 GMT, 333 days left.
SSL OK: Mail server, smtp.itnixpro.com, POP3 certificate will expire on Oct 23 23:59:59 2022 GMT, 333 days left.
SSL OK: Mail server, smtp.itnixpro.com, IMAP certificate will expire on Oct 23 23:59:59 2022 GMT, 333 days left.
SSL OK: Mail server, smtp.itnixpro.com, SMTP certificate will expire on Oct 23 23:59:59 2022 GMT, 333 days left.
SSL OK: Mail server, smtp.itnixpro.com, IMAP certificate will expire on Oct 23 23:59:59 2022 GMT, 333 days left.
SSL OK: Mail server, smtp.itnixpro.com, POP3 certificate will expire on Oct 23 23:59:59 2022 GMT, 333 days left.

Define Nagios Command to Check IMAP/SMTP/POP3 SSL/TLS Certificate Expiry

Once you have setup Nagios, you need to define a command that is used to query the mail server IMAP/SMTP/POP3 SSL/TLS certificate to find the expiry date.

In our setup, we have put most of our configuration files under the directory, /etc/nagios4/objects/itnixpro/.

ls -1 /etc/nagios4/objects/itnixpro/
commands.cfg
hostgroup.cfg
hosts.cfg
hosts-services.cfg
hosts-service-template.cfg
itnixpro-contacts.cfg

To begin with, create a definition of a command that can be used to query the SSL/TLS certificate expiry date.

We will place the command configuration in commands.cfg file.

vim /etc/nagios4/objects/itnixpro/commands.cfg
# Check Mail Server IMAP/SMTP/POP SSL/TLS Expiry date
define command {
    command_name    check_mailserver_ssl
    command_line    /usr/lib/nagios/plugins/check_mail_ssl -h $HOSTADDRESS$ -p $ARG1$ -w $ARG2$ -c $ARG3$
}

Save and exit the file

Add the Mail Server Host to Nagios

Next, add the mail server host to monitor to Nagios. We use hosts.cfg file in our setup.

vim /etc/nagios4/objects/itnixpro/hosts.cfg
define host {
    use                     itnixpro-hosts
    host_name               smtp.itnixpro.com
    address                 smtp.itnixpro.com
}

Save and exit the file.

Define the Service Configuration for Ports to Monitor

You then need to define the services for the respective ports to monitor SSL/TLS certs on;

vim /etc/nagios4/objects/itnixpro/hosts-services.cfg

Example Service definition for IMAP/SMTP/POP3

define service {
        use                     itnixpro-service
        host_name          	smtp.itnixpro.com
        service_description     IMAP_SSL_Expiry_Status
        check_command           check_mailserver_ssl!993!10!5
}
define service {
        use                     itnixpro-service
        host_name          	smtp.itnixpro.com
        service_description     SMTP_SSL_Expiry_Status
        check_command           check_mailserver_ssl!587!10!5
}
define service {
        use                     itnixpro-service
        host_name          	smtp.itnixpro.com
        service_description     POP3_SSL_Expiry_Status
        check_command           check_mailserver_ssl!995!10!5
}

Where:

  • check_command specifies the command to use, check_mailserver_ssl in this case.
  • !993!10!5 specifies the port, warn days, and critical days.

Check Nagios Configuration Syntax

The configs above are enough to IMAP/SMTP/POP3 SSL/TLS Certificate Expiry.

Thus, once you are done, run the command below to check if any syntax or configuration error on Nagios configs.

nagios4 -v /etc/nagios4/nagios.cfg

Sample output;

Nagios Core 4.4.6
Copyright (c) 2009-present Nagios Core Development Team and Community Contributors
Copyright (c) 1999-2009 Ethan Galstad
Last Modified: 2020-04-28
License: GPL

Website: https://www.nagios.org
Reading configuration data...
   Read main config file okay...
   Read object config files okay...

Running pre-flight check on configuration data...

Checking objects...
	Checked 11 services.
	Checked 2 hosts.
	Checked 1 host groups.
	Checked 0 service groups.
	Checked 3 contacts.
	Checked 2 contact groups.
	Checked 182 commands.
	Checked 5 time periods.
	Checked 0 host escalations.
	Checked 0 service escalations.
Checking for circular paths...
	Checked 2 hosts
	Checked 0 service dependencies
	Checked 0 host dependencies
	Checked 5 timeperiods
Checking global event handlers...
Checking obsessive compulsive processor commands...
Checking misc settings...

Total Warnings: 0
Total Errors:   0

Things look okay - No serious problems were detected during the pre-flight check

Restart Nagios Service

Ensure the command above prints no error. If any error, fix before you can proceed.

If all is well, run the command below to restart Nagios service.

systemctl restart nagios4

Check Host and Service Status

Next, login to Nagios Web interface and check the status;

Check IMAP/SMTP/POP3 SSL/TLS Certificate Expiry with Nagios
Check IMAP/SMTP/POP3 SSL/TLS Certificate Expiry with Nagios

And that is how you can easily check IMAP/SMTP/POP3 SSL/TLS certificate expiry with Nagios.

Other Tutorials

Install Wazuh Server with ELK Stack on Debian 11

ELK: Send Alerts when no data is received on an index

Founder of itnixpro.com|Linux Engineer|Author at Itnixpro.com

Leave a Comment