Merge pull request ossec#2195 from atomicturtle/smtp-auth-01

Add SMTP TLS and Authentication using libcurl

Author: atomicturtle

.github/workflows/make-multi-platform.yml

@@ -12,13 +12,15 @@ on:
 
 jobs:
   build-rocky:
-    name: Rocky Linux 9 (${{ matrix.target }})
+    name: Rocky Linux 9 (${{ matrix.target }}, USE_CURL=${{ matrix.use_curl }})
     runs-on: ubuntu-latest
     container: rockylinux:9
     strategy:
       fail-fast: false
       matrix:
         target: [ server, agent ]
+        # Exercise optional libcurl SMTP path (curlmail.c) in CI, not only local builds.
+        use_curl: [ no, yes ]
 
     steps:
       - uses: actions/checkout@v4
@@ -30,11 +32,18 @@ jobs:
           dnf install -y gcc make openssl-devel pcre2-devel zlib-devel \
             systemd-devel libevent-devel
           dnf install -y file-devel || true
+          if [ "${{ matrix.use_curl }}" = "yes" ]; then
+            dnf install -y libcurl-devel
+          fi
 
       - name: Build
         run: |
           cd src
-          make TARGET=${{ matrix.target }} PCRE2_SYSTEM=yes -j$(nproc)
+          if [ "${{ matrix.use_curl }}" = "yes" ]; then
+            make TARGET=${{ matrix.target }} PCRE2_SYSTEM=yes USE_CURL=yes -j$(nproc)
+          else
+            make TARGET=${{ matrix.target }} PCRE2_SYSTEM=yes -j$(nproc)
+          fi
 
   build-windows-agent:
     name: Windows agent (cross-compile)

README.md

@@ -17,6 +17,10 @@ The current stable releases are available on the ossec website.
 * Releases can be downloaded from: [Downloads](https://www.ossec.net/downloads/)
 * Release documentation is available at: [docs](https://www.ossec.net/docs/)
 
+## ossec-maild and libcurl SMTP TLS ##
+
+When built with `USE_CURL=yes`, failed SMTP sends log detailed libcurl errors in `ossec.log`: a TLS verification category line when certificate checks fail, `curl_easy_strerror` text, optional `CURLOPT_ERRORBUFFER` detail, `CURLINFO_SSL_VERIFYRESULT` (backend-specific), and `CURLINFO_OS_ERRNO` when set. See comments at the top of `src/os_maild/curlmail.c`.
+
 ## Development ##
 
 The development version is hosted on GitHub and just a simple git clone away. 

src/Makefile

@@ -27,6 +27,7 @@ INSTALL_RESOLVCONF?=yes
 USE_PRELUDE?=no
 USE_ZEROMQ?=no
 USE_GEOIP?=no
+USE_CURL?=no
 USE_INOTIFY=no
 USE_PCRE2_JIT=yes
 USE_SYSTEMD?=yes
@@ -260,6 +261,11 @@ ifneq (,$(filter ${USE_GEOIP},auto yes y Y 1))
 	OSSEC_LDFLAGS+=-lGeoIP
 endif # USE_GEOIP
 
+ifneq (,$(filter ${USE_CURL},yes y Y 1))
+	DEFINES+=-DUSE_SMTP_CURL
+	OSSEC_LDFLAGS+=-lcurl
+endif # USE_CURL
+
 ifneq (,$(filter ${USE_SQLITE},auto yes y Y 1))
 	DEFINES+=-DSQLITE_ENABLED
 	ANALYSISD_FLAGS="-lsqlite3"
@@ -619,6 +625,7 @@ settings:
 	@echo "USE settings:"
 	@echo "    USE_ZEROMQ:       ${USE_ZEROMQ}"
 	@echo "    USE_GEOIP:        ${USE_GEOIP}"
+	@echo "    USE_CURL:         ${USE_CURL}"
 	@echo "    USE_PRELUDE:      ${USE_PRELUDE}"
 	@echo "    USE_OPENSSL:      ${USE_OPENSSL}"
 	@echo "    USE_INOTIFY:      ${USE_INOTIFY}"

src/config/global-config.c

@@ -122,6 +122,11 @@ int Read_Global(XML_NODE node, void *configp, void *mailp)
     const char *xml_smtpserver = "smtp_server";
     const char *xml_heloserver = "helo_server";
     const char *xml_mailmaxperhour = "email_maxperhour";
+    const char *xml_auth_smtp = "auth_smtp";
+    const char *xml_smtp_user = "smtp_user";
+    const char *xml_smtp_password = "smtp_password";
+    const char *xml_secure_smtp = "secure_smtp";
+    const char *xml_smtp_port = "smtp_port";
 
 #ifdef LIBGEOIP_ENABLED
     const char *xml_geoip_db_path = "geoip_db_path";
@@ -453,17 +458,82 @@ int Read_Global(XML_NODE node, void *configp, void *mailp)
                 }
                 os_strdup(node[i]->content, Mail->idsname);
             }
+        } else if (strcmp(node[i]->element, xml_auth_smtp) == 0) {
+            if (strcmp(node[i]->content, "yes") == 0) {
+                if (Config) {
+                    Config->authsmtp = 1;
+                }
+                if (Mail) {
+                    Mail->authsmtp = 1;
+                }
+            } else if (strcmp(node[i]->content, "no") == 0) {
+                if (Config) {
+                    Config->authsmtp = 0;
+                }
+                if (Mail) {
+                    Mail->authsmtp = 0;
+                }
+            } else {
+                return (OS_INVALID);
+            }
+        } else if (strcmp(node[i]->element, xml_secure_smtp) == 0) {
+            if (strcmp(node[i]->content, "yes") == 0) {
+                if (Config) {
+                    Config->securesmtp = 1;
+                }
+                if (Mail) {
+                    Mail->securesmtp = 1;
+                }
+            } else if (strcmp(node[i]->content, "no") == 0) {
+                if (Config) {
+                    Config->securesmtp = 0;
+                }
+                if (Mail) {
+                    Mail->securesmtp = 0;
+                }
+            } else {
+                return (OS_INVALID);
+            }
+        } else if (strcmp(node[i]->element, xml_smtp_user) == 0) {
+            if (Mail) {
+                if (Mail->smtp_user) {
+                    free(Mail->smtp_user);
+                }
+                os_strdup(node[i]->content, Mail->smtp_user);
+            }
+        } else if (strcmp(node[i]->element, xml_smtp_password) == 0) {
+            if (Mail) {
+                if (Mail->smtp_pass) {
+                    memset_secure(Mail->smtp_pass, 0, strlen(Mail->smtp_pass));
+                    free(Mail->smtp_pass);
+                }
+                os_strdup(node[i]->content, Mail->smtp_pass);
+            }
         } else if (strcmp(node[i]->element, xml_smtpserver) == 0) {
 #ifndef WIN32
             if (Mail && (Mail->mn)) {
                 if (node[i]->content[0] == '/') {
                     os_strdup(node[i]->content, Mail->smtpserver);
                 } else {
+#ifdef USE_SMTP_CURL
+                    /* Pre-resolve for CURLOPT_RESOLVE; DNS is unavailable after chroot */
+                    if (Mail->smtpserver_resolved) {
+                        free(Mail->smtpserver_resolved);
+                        Mail->smtpserver_resolved = NULL;
+                    }
+                    Mail->smtpserver_resolved = OS_GetHost(node[i]->content, 5);
+                    if (!Mail->smtpserver_resolved) {
+                        merror(INVALID_SMTP, __local_name, node[i]->content);
+                        return (OS_INVALID);
+                    }
+                    /* Hostname as-is for libcurl; common free + os_strdup below */
+#else
                     Mail->smtpserver = OS_GetHost(node[i]->content, 5);
                     if (!Mail->smtpserver) {
                         merror(INVALID_SMTP, __local_name, node[i]->content);
                         return (OS_INVALID);
                     }
+#endif
                 }
                 free(Mail->smtpserver);
                 os_strdup(node[i]->content, Mail->smtpserver);
@@ -473,6 +543,18 @@ int Read_Global(XML_NODE node, void *configp, void *mailp)
             if (Mail && (Mail->mn)) {
                 os_strdup(node[i]->content, Mail->heloserver);
             }
+        } else if (strcmp(node[i]->element, xml_smtp_port) == 0) {
+            if (Mail && (Mail->mn)) {
+                if (!OS_StrIsNum(node[i]->content)) {
+                    merror(XML_VALUEERR, __local_name, node[i]->element, node[i]->content);
+                    return (OS_INVALID);
+                }
+                Mail->smtp_port = atoi(node[i]->content);
+                if (Mail->smtp_port < 1 || Mail->smtp_port > 65535) {
+                    merror(XML_VALUEERR, __local_name, node[i]->element, node[i]->content);
+                    return (OS_INVALID);
+                }
+            }
         } else if (strcmp(node[i]->element, xml_mailmaxperhour) == 0) {
             if (Mail) {
                 if (!OS_StrIsNum(node[i]->content)) {

src/config/global-config.h

@@ -53,6 +53,10 @@ typedef struct __Config {
     /* Mail alerting */
     short int mailnotify;
 
+    /* SMTP auth (USE_CURL build only) */
+    short int authsmtp;
+    short int securesmtp;
+
     /* Custom Alert output*/
     short int custom_alert_output;
     char *custom_alert_output_format;

src/config/mail-config.h

@@ -34,6 +34,14 @@ typedef struct _MailConfig {
     char *idsname;
     char *smtpserver;
     char *heloserver;
+    char *smtpserver_resolved;  /* pre-resolved IP for CURLOPT_RESOLVE when chrooted (USE_SMTP_CURL) */
+
+    /* SMTP auth (USE_CURL build only) */
+    int authsmtp;       /* 0 = off (default), 1 = on */
+    int securesmtp;     /* 0 = off (default), 1 = on */
+    int smtp_port;      /* 0 = use default per mode (465/587/25); else override */
+    char *smtp_user;
+    char *smtp_pass;
 
     /* Granular e-mail options */
     unsigned int *gran_level;

src/config/reports-config.h

@@ -31,9 +31,17 @@ typedef struct _monitor_config {
     int notify_time;
 
     char *smtpserver;
+    char *smtpserver_resolved;
     char *emailfrom;
     char *emailidsname;
 
+    /* SMTP auth (USE_SMTP_CURL only) */
+    int authsmtp;
+    int securesmtp;
+    int smtp_port;
+    char *smtp_user;
+    char *smtp_pass;
+
     char **agents;
     report_config **reports;
 } monitor_config;

src/monitord/generate_reports.c

@@ -78,10 +78,8 @@ void generate_reports(int cday, int cmon, int cyear)
                     merror("%s: INFO: Report '%s' empty.", ARGV0, mond.reports[s]->title);
                 } else if (OS_SendCustomEmail2(mond.reports[s]->emailto,
                                               mond.reports[s]->title,
-                                              mond.smtpserver,
-                                              mond.emailfrom,
-                                              mond.emailidsname,
-                                              fname)
+                                              fname,
+                                              &mond)
                            != 0) {
                     merror("%s: WARN: Unable to send report email.", ARGV0);
                 }