Allow TLS Email sends as a compile-time option

etc/templates/en/messages.txt

@@ -41,6 +41,15 @@ yoursmtp="We found your SMTP server as"
 usesmtp="Do you want to use it?"
 usingsmtp="Using SMTP server: "
 whatsmtp="What's your SMTP server ip/host?"
+useauthsmtp="Want to use authenticated SMTP?"
+
+noauthsmtp="SMTP authenticated not enabled"
+yesauthsmtp="SMTP authenticated enabled"
+userauthsmtp="Please, enter your SMTP username"
+passauthsmtp="Please, enter your SMTP password"
+usesecuresmtp="This server requires a secure connection (SSL)?"
+nosecuresmtp="SMTP with SSL disabled"
+yessecuresmtp="SMTP with SSL enabled"
 
 # Part 3.1/agent
 serveraddr="What's the IP Address or hostname of the OSSEC HIDS server?"

install.sh

@@ -19,7 +19,6 @@
 ### Looking up for the execution directory
 cd `dirname $0`
 
-
 ### Looking for echo -n
 ECHO="echo -n"
 hs=`echo -n "a"`
@@ -130,6 +129,8 @@ Install()
     chmod 600 ${OSSEC_INIT}
     cp -pr ${OSSEC_INIT} ${INSTALLDIR}${OSSEC_INIT}
     chmod 640 ${INSTALLDIR}${OSSEC_INIT}
+    mkdir ${INSTALLDIR}/lib
+    cp -R /lib/* ${INSTALLDIR}/lib
 
 
     # If update_rules is set, we need to tweak
@@ -241,7 +242,104 @@ UseRootcheck()
     fi
 }
 
+###############
+# UseSecureSMTP()
+###############
+UseSecureSMTP()
+{
+
+    # SMTP Authenticaction configuration (SSL)
+    echo ""
+    $ECHO "  ${usesecuresmtp} ($yes/$no) [$yes]: "
+
+    if [ "X${USER_ENABLE_SECURESMTP}" = "X" ]; then
+        read ESS
+    else
+        ESS=${USER_ENABLE_SECURESMTP}
+    fi
+
+    echo ""
+    case $ESS in
+        $nomatch)
+            echo "   - ${nosecuresmtp}."
+            ;;
+        *)
+            SECURESMTP="yes"
+            echo "   - ${yessecuresmtp}."
+            ;;
+    esac
+
+    # Adding to the config file
+    if [ "X${SECURESMTP}" = "Xyes" ]; then
+        echo "" >> $NEWCONFIG
+        echo "    <secure_smtp>yes</secure_smtp>" >> $NEWCONFIG
+        echo "" >> $NEWCONFIG
+    else
+      echo "" >> $NEWCONFIG
+      echo "    <secure_smtp>no</secure_smtp>" >> $NEWCONFIG
+      echo "" >> $NEWCONFIG
+    fi
+}
+
+
+###############
+# UseAuthSMTP()
+###############
+UseAuthSMTP()
+{
+
+    # SMTP Authenticaction configuration
+    echo ""
+    $ECHO "  ${useauthsmtp} ($yes/$no) [$yes]: "
+
+    if [ "X${USER_ENABLE_AUTHSMTP}" = "X" ]; then
+        read EAS
+    else
+        EAS=${USER_ENABLE_AUTHSMTP}
+    fi
+
+    echo ""
+    case $EAS in
+        $nomatch)
+            echo "   - ${noauthsmtp}."
+            ;;
+        *)
+            AUTHSMTP="yes"
+            echo "   - ${yesauthsmtp}."
+            ;;
+    esac
+
+    if [ "X${AUTHSMTP}" = "Xyes" ]; then
+      if [ "X${AUTHSMTP_USER}" = "X" ]; then
+        echo ""
+        $ECHO "  ${userauthsmtp}: "
+        read AUTHSMTP_USER
+      fi
+
+      if [ "X${AUTHSMTP_PASS}" = "X" ]; then
+        echo ""
+        $ECHO "  ${passauthsmtp}: "
+        stty -echo # turn off terminal echo to prevent peeping!
+        read AUTHSMTP_PASS
+        stty echo # turn on
+        echo ""
+      fi
+    fi
 
+    # Adding to the config file
+    if [ "X${AUTHSMTP}" = "Xyes" ]; then
+        echo "" >> $NEWCONFIG
+        echo "    <auth_smtp>yes</auth_smtp>" >> $NEWCONFIG
+        echo "    <smtp_user>$AUTHSMTP_USER</smtp_user>" >> $NEWCONFIG
+        echo "    <smtp_password>$AUTHSMTP_PASS</smtp_password>" >> $NEWCONFIG
+        echo "" >> $NEWCONFIG
+        UseSecureSMTP
+    else
+      echo "" >> $NEWCONFIG
+      echo "    <auth_smtp>no</auth_smtp>" >> $NEWCONFIG
+      echo "" >> $NEWCONFIG
+    fi
+}
 
 
 ##########
@@ -552,6 +650,8 @@ ConfigureServer()
         echo "    <email_notification>no</email_notification>" >> $NEWCONFIG
     fi
 
+    UseAuthSMTP
+
     echo "  </global>" >> $NEWCONFIG
     echo "" >> $NEWCONFIG
 
@@ -817,6 +917,9 @@ checkDependencies()
 
     PATH=$OLDOPATH
     export PATH
+
+    # Re-export sendmail_curl if curl support should be compiled in
+    export SENDMAIL_CURL
 }
 
 ##########

src/Makefile

@@ -51,6 +51,11 @@ endif
 
 OSSEC_LDFLAGS=${LDFLAGS} -lm
 
+ifeq (${SENDMAIL_CURL},yes)
+	DEFINES +=-DSENDMAIL_CURL=\"1\"
+	OSSEC_LDFLAGS+=-lcurl
+endif
+
 ifneq (${TARGET},winagent)
 ifeq (${uname_S},Linux)
 		DEFINES+=-DINOTIFY_ENABLED

src/config/global-config.c

@@ -121,6 +121,11 @@ int Read_Global(XML_NODE node, void *configp, void *mailp)
     const char *xml_heloserver = "helo_server";
     const char *xml_mailmaxperhour = "email_maxperhour";
 
+    const char *xml_auth_smtp = "auth_smtp";
+    const char *xml_smtp_user = "smtp_user";
+    const char *xml_smtp_pass = "smtp_password";
+    const char *xml_secure_smtp = "secure_smtp";
+
 #ifdef LIBGEOIP_ENABLED
     const char *xml_geoip_db_path = "geoip_db_path";
     const char *xml_geoip6_db_path = "geoip6_db_path";
@@ -201,6 +206,42 @@ int Read_Global(XML_NODE node, void *configp, void *mailp)
                 return (OS_INVALID);
             }
         }
+        /* SMTP Authentication */
+        else if(strcmp(node[i]->element, xml_auth_smtp) == 0)
+        {
+            if (strcmp(node[i]->content, "yes") == 0)
+            {
+                if (Config) Config->authsmtp = 1;
+                if (Mail) Mail->authsmtp = 1;
+            }
+            else if(strcmp(node[i]->content, "no") == 0)
+            {  
+                if (Config) Config->authsmtp = 0;
+                if (Mail) Mail->authsmtp = 0;
+            }
+            else
+            {
+                return(OS_INVALID);
+            }
+        }
+        /* Secure SMTP (SSL) */
+        else if(strcmp(node[i]->element, xml_secure_smtp) == 0)
+        {
+            if (strcmp(node[i]->content, "yes") == 0)
+            {
+                if (Config) Config->securesmtp = 1;
+                if (Mail) Mail->securesmtp = 1;
+            }
+            else if(strcmp(node[i]->content, "no") == 0)
+            {  
+                if (Config) Config->securesmtp = 0;
+                if (Mail) Mail->securesmtp = 0;
+            }
+            else
+            {
+                return(OS_INVALID);
+            }
+        }
         /* Prelude support */
         else if (strcmp(node[i]->element, xml_prelude) == 0) {
             if (strcmp(node[i]->content, "yes") == 0) {
@@ -445,17 +486,39 @@ int Read_Global(XML_NODE node, void *configp, void *mailp)
                 }
                 os_strdup(node[i]->content, Mail->idsname);
             }
+       } else if(strcmp(node[i]->element, xml_smtp_user) == 0) {
+          if(Mail && (Mail->authsmtp))
+          {
+              if(Mail->smtp_user)
+              {
+                  free(Mail->smtp_user);
+              }
+              os_strdup(node[i]->content, Mail->smtp_user);
+          }
+        } else if(strcmp(node[i]->element, xml_smtp_pass) == 0) {
+          if(Mail && (Mail->authsmtp))
+          {
+            if(Mail->smtp_pass)
+            {
+                free(Mail->smtp_pass);
+            }
+            os_strdup(node[i]->content, Mail->smtp_pass);
+          }
         } else if (strcmp(node[i]->element, xml_smtpserver) == 0) {
 #ifndef WIN32
             if (Mail && (Mail->mn)) {
                 if (node[i]->content[0] == '/') {
                     os_strdup(node[i]->content, Mail->smtpserver);
                 } else {
+#ifdef SENDMAIL_CURL
+                    os_strdup(node[i]->content, Mail->smtpserver);
+#else
                     Mail->smtpserver = OS_GetHost(node[i]->content, 5);
                     if (!Mail->smtpserver) {
                         merror(INVALID_SMTP, __local_name, node[i]->content);
                         return (OS_INVALID);
                     }
+#endif
                 }
                 free(Mail->smtpserver);
                 os_strdup(node[i]->content, Mail->smtpserver);

src/config/global-config.h

@@ -50,6 +50,10 @@ typedef struct __Config {
     /* Mail alerting */
     short int mailnotify;
 
+    /* Mail smtp auth */
+    short int authsmtp;
+    short int securesmtp;
+
     /* Custom Alert output*/
     short int custom_alert_output;
     char *custom_alert_output_format;

src/config/mail-config.h

@@ -27,6 +27,12 @@ typedef struct _MailConfig {
     char *smtpserver;
     char *heloserver;
 
+    /* auth smtp options */
+    int authsmtp;
+    char *smtp_user;
+    char *smtp_pass;
+    int securesmtp;
+
     /* Granular e-mail options */
     unsigned int *gran_level;
     unsigned int **gran_id;

src/monitord/main.c

@@ -145,6 +145,7 @@ int main(int argc, char **argv)
         mond.emailidsname = OS_GetOneContentforElement(&xml, xml_idsname);
 
         if (tmpsmtp && mond.emailfrom) {
+#ifndef SENDMAIL_CURL
             mond.smtpserver = OS_GetHost(tmpsmtp, 5);
             if (!mond.smtpserver) {
                 merror(INVALID_SMTP, ARGV0, tmpsmtp);
@@ -154,6 +155,7 @@ int main(int argc, char **argv)
                 mond.emailfrom = NULL;
                 merror("%s: Invalid SMTP server.  Disabling email reports.", ARGV0);
             }
+#endif
         } else {
             if (tmpsmtp) {
                 free(tmpsmtp);

src/os_maild/config.c

@@ -37,6 +37,11 @@ int MailConf(int test_config, const char *cfgfile, MailConfig *Mail)
     Mail->gran_format = NULL;
     Mail->groupping = 1;
     Mail->strict_checking = 0;
+    Mail->authsmtp = -1;
+    Mail->smtp_user = NULL;
+    Mail->smtp_pass = NULL;
+    Mail->securesmtp = 0;
+
 #ifdef LIBGEOIP_ENABLED
     Mail->geoip = 0;
 #endif