Skip to content

Allow TLS Email sends as a compile-time option #1360

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Allow TLS Email sends as a compile-time option #1360

wants to merge 2 commits into from

Conversation

@alexbartlow
Copy link

To avoid setting up and configuring a sendmail server as a proxy (https://www.digitalocean.com/community/tutorials/how-to-send-email-through-an-external-smtp-service-with-sendmail-on-freebsd-10-1) We'd like the ability to simply point ossec-hids at an existing SMTP server.

Instead of re-implementing the wheel, I've added a compile-time flag to use curl to send with credentials over TLS to an external SMTP server. When compiling ossec-hids, you can use the SENDMAIL_CURL=1 env var to trigger a build that uses curl to send emails to the server you specify, instead of passing the information to a local sendmail install.

We've been using this patch ourselves, and it's working great.

I thought I'd at least offer it up to the community, though I can see the virtue of not wanting to take on this added complexity concern within the product itself. It does, however, greatly simplify the process of setting it up. Here's a snip from our relevant chef cookbook:

  #config template
  <global>
    <email_notification>yes</email_notification>
    <email_to><%= @smtp_to %></email_to>
    <smtp_server><%= @smtp_server %></smtp_server>
    <email_from><%= @smtp_from %></email_from>
    <auth_smtp>yes</auth_smtp>
    <smtp_user><%= @smtp_user %></smtp_user>
    <smtp_password><%= @smtp_password %></smtp_password>
    <secure_smtp>yes</secure_smtp>
  </global>

  #install recipe
execute "run installer" do
  command "bash /opt/ossec/ossec-hids-master/install.sh"
  environment "SENDMAIL_CURL" => "yes"
  user "root"
  group "root"
end
nbuuck
nbuuck reviewed Feb 1, 2018
View reviewed changes
src/os_maild/curlmail.c Outdated
curl_easy_setopt(curl, CURLOPT_URL, mail->smtpserver);
curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, errbuf);
curl_easy_setopt(curl, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
curl_easy_setopt(curl, CURLOPT_DNS_SERVERS, "10.0.0.2,8.8.8.8,8.8.4.4");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should these really be hard-coded rather than relying on the system-configured name servers?
@alexbartlow
Copy link
Author

@nbuuck thanks for pointing that out - I've removed the hard-coded DNS servers.
@sempervictus
Copy link

#1381 looks to be adding libsodium, if that PR is to be implemented, would it make sense to convert the mail functionality to a thinner internal implementation? Primarily asking because curl does not come without concerns, nor does any library, but the depth of opaque function calls relative to this code is probably a bit deeper than if the send/recv/fmt was implemented here, and crypto was the sole component being farmed out.
shanet added a commit to aha-app/ossec-hids that referenced this pull request Oct 4, 2022
@shanet
apply alex's patch (ossec#1360) for sending mail via curl to third pa…
ce1f4aa 
…rty smtp server
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants

@alexbartlow @sempervictus @nbuuck