Add SMTP TLS and authentication

Enable authenticated and TLS SMTP for ossec-maild when built with
USE_CURL=yes (off by default). Uses libcurl for SMTP AUTH (PLAIN/LOGIN)
and TLS/STARTTLS; credentials and TLS are validated and sanitized.

Security hardening: header/envelope CR/LF sanitization, hostname
validation for smtp_server, timeouts, mandatory TLS when AUTH is on,
post-parse credential validation, and secure clearing of password
in config and at exit.

CA bundle and chroot
  ossec-maild runs inside a chroot (e.g. /var/ossec). libcurl uses
  CURLOPT_SSL_VERIFYPEER=1 and by default looks for the system CA bundle
  (e.g. /etc/ssl/certs/ca-certificates.crt). After chroot, that path
  is not visible, so TLS verification fails (CURLE_PEER_FAILED_VERIFICATION)
  and mail is dropped unless the CA bundle is available inside the chroot.
  Installation (or the admin) must copy or symlink the system CA bundle
  into the chroot (e.g. <chroot>/etc/ssl/certs/ca-certificates.crt) and
  either set CURLOPT_CAINFO to that path in code or ensure the default
  path resolves inside the chroot. Do not disable VERIFYPEER.

Original idea and initial implementation from alexbartlow via
  Allow TLS Email sends as a compile-time option
  ossec#1360

Credit: alexbartlow (PR ossec#1360)

Signed-off-by: Scott R. Shinn <scott@atomicorp.com>

Author: atomicturtle

src/Makefile

@@ -27,6 +27,7 @@ INSTALL_RESOLVCONF?=yes
 USE_PRELUDE?=no
 USE_ZEROMQ?=no
 USE_GEOIP?=no
+USE_CURL?=no
 USE_INOTIFY=no
 USE_PCRE2_JIT=yes
 USE_SYSTEMD?=yes
@@ -259,6 +260,11 @@ ifneq (,$(filter ${USE_GEOIP},auto yes y Y 1))
 	OSSEC_LDFLAGS+=-lGeoIP
 endif # USE_GEOIP
 
+ifneq (,$(filter ${USE_CURL},yes y Y 1))
+	DEFINES+=-DUSE_SMTP_CURL
+	OSSEC_LDFLAGS+=-lcurl
+endif # USE_CURL
+
 ifneq (,$(filter ${USE_SQLITE},auto yes y Y 1))
 	DEFINES+=-DSQLITE_ENABLED
 	ANALYSISD_FLAGS="-lsqlite3"
@@ -618,6 +624,7 @@ settings:
 	@echo "USE settings:"
 	@echo "    USE_ZEROMQ:       ${USE_ZEROMQ}"
 	@echo "    USE_GEOIP:        ${USE_GEOIP}"
+	@echo "    USE_CURL:         ${USE_CURL}"
 	@echo "    USE_PRELUDE:      ${USE_PRELUDE}"
 	@echo "    USE_OPENSSL:      ${USE_OPENSSL}"
 	@echo "    USE_INOTIFY:      ${USE_INOTIFY}"

src/config/global-config.c

@@ -122,6 +122,11 @@ int Read_Global(XML_NODE node, void *configp, void *mailp)
     const char *xml_smtpserver = "smtp_server";
     const char *xml_heloserver = "helo_server";
     const char *xml_mailmaxperhour = "email_maxperhour";
+    const char *xml_auth_smtp = "auth_smtp";
+    const char *xml_smtp_user = "smtp_user";
+    const char *xml_smtp_password = "smtp_password";
+    const char *xml_secure_smtp = "secure_smtp";
+    const char *xml_smtp_port = "smtp_port";
 
 #ifdef LIBGEOIP_ENABLED
     const char *xml_geoip_db_path = "geoip_db_path";
@@ -453,17 +458,82 @@ int Read_Global(XML_NODE node, void *configp, void *mailp)
                 }
                 os_strdup(node[i]->content, Mail->idsname);
             }
+        } else if (strcmp(node[i]->element, xml_auth_smtp) == 0) {
+            if (strcmp(node[i]->content, "yes") == 0) {
+                if (Config) {
+                    Config->authsmtp = 1;
+                }
+                if (Mail) {
+                    Mail->authsmtp = 1;
+                }
+            } else if (strcmp(node[i]->content, "no") == 0) {
+                if (Config) {
+                    Config->authsmtp = 0;
+                }
+                if (Mail) {
+                    Mail->authsmtp = 0;
+                }
+            } else {
+                return (OS_INVALID);
+            }
+        } else if (strcmp(node[i]->element, xml_secure_smtp) == 0) {
+            if (strcmp(node[i]->content, "yes") == 0) {
+                if (Config) {
+                    Config->securesmtp = 1;
+                }
+                if (Mail) {
+                    Mail->securesmtp = 1;
+                }
+            } else if (strcmp(node[i]->content, "no") == 0) {
+                if (Config) {
+                    Config->securesmtp = 0;
+                }
+                if (Mail) {
+                    Mail->securesmtp = 0;
+                }
+            } else {
+                return (OS_INVALID);
+            }
+        } else if (strcmp(node[i]->element, xml_smtp_user) == 0) {
+            if (Mail) {
+                if (Mail->smtp_user) {
+                    free(Mail->smtp_user);
+                }
+                os_strdup(node[i]->content, Mail->smtp_user);
+            }
+        } else if (strcmp(node[i]->element, xml_smtp_password) == 0) {
+            if (Mail) {
+                if (Mail->smtp_pass) {
+                    memset_secure(Mail->smtp_pass, 0, strlen(Mail->smtp_pass));
+                    free(Mail->smtp_pass);
+                }
+                os_strdup(node[i]->content, Mail->smtp_pass);
+            }
         } else if (strcmp(node[i]->element, xml_smtpserver) == 0) {
 #ifndef WIN32
             if (Mail && (Mail->mn)) {
                 if (node[i]->content[0] == '/') {
                     os_strdup(node[i]->content, Mail->smtpserver);
                 } else {
+#ifdef USE_SMTP_CURL
+                    /* Pre-resolve for CURLOPT_RESOLVE; DNS is unavailable after chroot */
+                    if (Mail->smtpserver_resolved) {
+                        free(Mail->smtpserver_resolved);
+                        Mail->smtpserver_resolved = NULL;
+                    }
+                    Mail->smtpserver_resolved = OS_GetHost(node[i]->content, 5);
+                    if (!Mail->smtpserver_resolved) {
+                        merror(INVALID_SMTP, __local_name, node[i]->content);
+                        return (OS_INVALID);
+                    }
+                    /* Hostname as-is for libcurl; common free + os_strdup below */
+#else
                     Mail->smtpserver = OS_GetHost(node[i]->content, 5);
                     if (!Mail->smtpserver) {
                         merror(INVALID_SMTP, __local_name, node[i]->content);
                         return (OS_INVALID);
                     }
+#endif
                 }
                 free(Mail->smtpserver);
                 os_strdup(node[i]->content, Mail->smtpserver);
@@ -473,6 +543,18 @@ int Read_Global(XML_NODE node, void *configp, void *mailp)
             if (Mail && (Mail->mn)) {
                 os_strdup(node[i]->content, Mail->heloserver);
             }
+        } else if (strcmp(node[i]->element, xml_smtp_port) == 0) {
+            if (Mail && (Mail->mn)) {
+                if (!OS_StrIsNum(node[i]->content)) {
+                    merror(XML_VALUEERR, __local_name, node[i]->element, node[i]->content);
+                    return (OS_INVALID);
+                }
+                Mail->smtp_port = atoi(node[i]->content);
+                if (Mail->smtp_port < 1 || Mail->smtp_port > 65535) {
+                    merror(XML_VALUEERR, __local_name, node[i]->element, node[i]->content);
+                    return (OS_INVALID);
+                }
+            }
         } else if (strcmp(node[i]->element, xml_mailmaxperhour) == 0) {
             if (Mail) {
                 if (!OS_StrIsNum(node[i]->content)) {

src/config/global-config.h

@@ -53,6 +53,10 @@ typedef struct __Config {
     /* Mail alerting */
     short int mailnotify;
 
+    /* SMTP auth (USE_CURL build only) */
+    short int authsmtp;
+    short int securesmtp;
+
     /* Custom Alert output*/
     short int custom_alert_output;
     char *custom_alert_output_format;

src/config/mail-config.h

@@ -34,6 +34,14 @@ typedef struct _MailConfig {
     char *idsname;
     char *smtpserver;
     char *heloserver;
+    char *smtpserver_resolved;  /* pre-resolved IP for CURLOPT_RESOLVE when chrooted (USE_SMTP_CURL) */
+
+    /* SMTP auth (USE_CURL build only) */
+    int authsmtp;       /* 0 = off (default), 1 = on */
+    int securesmtp;     /* 0 = off (default), 1 = on */
+    int smtp_port;      /* 0 = use default per mode (465/587/25); else override */
+    char *smtp_user;
+    char *smtp_pass;
 
     /* Granular e-mail options */
     unsigned int *gran_level;

src/monitord/main.c

@@ -145,7 +145,11 @@ int main(int argc, char **argv)
         mond.emailidsname = OS_GetOneContentforElement(&xml, xml_idsname);
 
         if (tmpsmtp && mond.emailfrom) {
+#ifdef USE_SMTP_CURL
+            os_strdup(tmpsmtp, mond.smtpserver);
+#else
             mond.smtpserver = OS_GetHost(tmpsmtp, 5);
+#endif
             if (!mond.smtpserver) {
                 merror(INVALID_SMTP, ARGV0, tmpsmtp);
                 if (mond.emailfrom) {
@@ -154,6 +158,8 @@ int main(int argc, char **argv)
                 mond.emailfrom = NULL;
                 merror("%s: Invalid SMTP server.  Disabling email reports.", ARGV0);
             }
+            free(tmpsmtp);
+            tmpsmtp = NULL;
         } else {
             if (tmpsmtp) {
                 free(tmpsmtp);

src/os_maild/config.c

@@ -25,6 +25,12 @@ int MailConf(int test_config, const char *cfgfile, MailConfig *Mail)
     Mail->idsname = NULL;
     Mail->smtpserver = NULL;
     Mail->heloserver = NULL;
+    Mail->smtpserver_resolved = NULL;
+    Mail->authsmtp = 0;
+    Mail->securesmtp = 0;
+    Mail->smtp_port = 0;
+    Mail->smtp_user = NULL;
+    Mail->smtp_pass = NULL;
     Mail->mn = 0;
     Mail->priority = 0;
     Mail->maxperhour = 12;
@@ -45,6 +51,18 @@ int MailConf(int test_config, const char *cfgfile, MailConfig *Mail)
         return (OS_INVALID);
     }
 
+#ifndef USE_SMTP_CURL
+    if (Mail->authsmtp) {
+        merror("%s: SMTP authentication (auth_smtp=yes) requires building with USE_CURL=yes.", ARGV0);
+        return (OS_INVALID);
+    }
+#else
+    if (Mail->authsmtp && (!Mail->smtp_user || !Mail->smtp_pass)) {
+        merror("%s: auth_smtp=yes requires both smtp_user and smtp_password to be set.", ARGV0);
+        return (OS_INVALID);
+    }
+#endif
+
     if (!Mail->mn) {
         if (!test_config) {
             verbose(MAIL_DIS, ARGV0);