Skip to content

Allow TLS Email sends as a compile-time option#1360

Open
alexbartlow wants to merge 2 commits intoossec:masterfrom
alexbartlow:secure_mail_with_curl
Open

Allow TLS Email sends as a compile-time option#1360
alexbartlow wants to merge 2 commits intoossec:masterfrom
alexbartlow:secure_mail_with_curl

Conversation

@alexbartlow
Copy link

@alexbartlow alexbartlow commented Feb 1, 2018

To avoid setting up and configuring a sendmail server as a proxy (https://www.digitalocean.com/community/tutorials/how-to-send-email-through-an-external-smtp-service-with-sendmail-on-freebsd-10-1) We'd like the ability to simply point ossec-hids at an existing SMTP server.

Instead of re-implementing the wheel, I've added a compile-time flag to use curl to send with credentials over TLS to an external SMTP server. When compiling ossec-hids, you can use the SENDMAIL_CURL=1 env var to trigger a build that uses curl to send emails to the server you specify, instead of passing the information to a local sendmail install.

We've been using this patch ourselves, and it's working great.

I thought I'd at least offer it up to the community, though I can see the virtue of not wanting to take on this added complexity concern within the product itself. It does, however, greatly simplify the process of setting it up. Here's a snip from our relevant chef cookbook:

  #config template
  <global>
    <email_notification>yes</email_notification>
    <email_to><%= @smtp_to %></email_to>
    <smtp_server><%= @smtp_server %></smtp_server>
    <email_from><%= @smtp_from %></email_from>
    <auth_smtp>yes</auth_smtp>
    <smtp_user><%= @smtp_user %></smtp_user>
    <smtp_password><%= @smtp_password %></smtp_password>
    <secure_smtp>yes</secure_smtp>
  </global>

  #install recipe
execute "run installer" do
  command "bash /opt/ossec/ossec-hids-master/install.sh"
  environment "SENDMAIL_CURL" => "yes"
  user "root"
  group "root"
end

nbuuck
nbuuck reviewed Feb 1, 2018
View reviewed changes
src/os_maild/curlmail.c Outdated
curl_easy_setopt(curl, CURLOPT_URL, mail->smtpserver);
curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, errbuf);
curl_easy_setopt(curl, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
curl_easy_setopt(curl, CURLOPT_DNS_SERVERS, "10.0.0.2,8.8.8.8,8.8.4.4");
Copy link
Contributor

@nbuuck nbuuck Feb 1, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should these really be hard-coded rather than relying on the system-configured name servers?

@alexbartlow
Copy link
Author

alexbartlow commented Feb 1, 2018

@nbuuck thanks for pointing that out - I've removed the hard-coded DNS servers.

@sempervictus
Copy link

sempervictus commented Mar 16, 2018

#1381 looks to be adding libsodium, if that PR is to be implemented, would it make sense to convert the mail functionality to a thinner internal implementation? Primarily asking because curl does not come without concerns, nor does any library, but the depth of opaque function calls relative to this code is probably a bit deeper than if the send/recv/fmt was implemented here, and crypto was the sole component being farmed out.

shanet added a commit to aha-app/ossec-hids that referenced this pull request Oct 4, 2022
@shanet
apply alex's patch (ossec#1360) for sending mail via curl to third pa…
ce1f4aa 
…rty smtp server
@atomicturtle atomicturtle mentioned this pull request Feb 17, 2026
Open
atomicturtle added a commit to atomicturtle/ossec-hids that referenced this pull request Mar 14, 2026
@atomicturtle
Add SMTP TLS and authentication
4a72744 
Enable authenticated and TLS SMTP for ossec-maild when built with
USE_CURL=yes (off by default). Uses libcurl for SMTP AUTH (PLAIN/LOGIN)
and TLS/STARTTLS; credentials and TLS are validated and sanitized.

Security hardening: header/envelope CR/LF sanitization, hostname
validation for smtp_server, timeouts, mandatory TLS when AUTH is on,
post-parse credential validation, and secure clearing of password
in config and at exit.

CA bundle and chroot
  ossec-maild runs inside a chroot (e.g. /var/ossec). libcurl uses
  CURLOPT_SSL_VERIFYPEER=1 and by default looks for the system CA bundle
  (e.g. /etc/ssl/certs/ca-certificates.crt). After chroot, that path
  is not visible, so TLS verification fails (CURLE_PEER_FAILED_VERIFICATION)
  and mail is dropped unless the CA bundle is available inside the chroot.
  Installation (or the admin) must copy or symlink the system CA bundle
  into the chroot (e.g. <chroot>/etc/ssl/certs/ca-certificates.crt) and
  either set CURLOPT_CAINFO to that path in code or ensure the default
  path resolves inside the chroot. Do not disable VERIFYPEER.

Original idea and initial implementation from alexbartlow via
  Allow TLS Email sends as a compile-time option
  ossec#1360

Credit: alexbartlow (PR ossec#1360)

Signed-off-by: Scott R. Shinn <scott@atomicorp.com>
@atomicturtle atomicturtle mentioned this pull request Mar 14, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@nbuuck nbuuck nbuuck left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@alexbartlow @sempervictus @nbuuck