diff --git a/ChangeLog b/ChangeLog index 99f34c51..89a7cfed 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21,6 +21,7 @@ ver. 1.0.3-dev-1 (20??/??/??) - development nightly edition if available for platform and uses DNS to find local IPv6 as a fallback only * improve `ignoreself` by considering all local addresses from network interfaces additionally to IPs from hostnames (gh-3132) * `action.d/mikrotik.conf` - new action for mikrotik routerOS, adds and removes entries from address lists on the router (gh-2860) +* `action.d/smtp.py` - added optional support for TLS connections via the `ssl` arg. * `filter.d/exim.conf` - fixed "dropped: too many ..." regex, also matching unrecognized commands now (gh-3502) * `filter.d/nginx-forbidden.conf` - new filter to ban forbidden locations, e. g. using `deny` directive (gh-2226) * `filter.d/sshd.conf`: diff --git a/config/action.d/smtp.py b/config/action.d/smtp.py index 5c27d0ff..ddd8861b 100644 --- a/config/action.d/smtp.py +++ b/config/action.d/smtp.py @@ -75,7 +75,7 @@ class SMTPAction(ActionBase): """ def __init__( - self, jail, name, host="localhost", user=None, password=None, + self, jail, name, host="localhost", ssl=False, user=None, password=None, sendername="Fail2Ban", sender="fail2ban", dest="root", matches=None): """Initialise action. @@ -88,6 +88,8 @@ class SMTPAction(ActionBase): host : str, optional SMTP host, of host:port format. Default host "localhost" and port "25" + ssl : bool, optional + Whether to use TLS for the SMTP connection or not. Default False. user : str, optional Username used for authentication with SMTP server. password : str, optional @@ -109,7 +111,7 @@ class SMTPAction(ActionBase): super(SMTPAction, self).__init__(jail, name) self.host = host - #TODO: self.ssl = ssl + self.ssl = ssl self.user = user self.password =password @@ -155,10 +157,19 @@ class SMTPAction(ActionBase): msg['To'] = self.toaddr msg['Date'] = formatdate() - smtp = smtplib.SMTP() + smtp = smtplib.SMTP(self.host) try: self._logSys.debug("Connected to SMTP '%s', response: %i: %s", self.host, *smtp.connect(self.host)) + + if self.ssl: # pragma: no cover + tls_result = smtp.starttls()[0]; + if tls_result != 220: # pragma: no cover + self._logSys.error( + "Failed to starttls() on '%s' for user '%s': %s", + self.host, self.user, tls_result) + raise Exception("Failed to starttls()") + if self.user and self.password: # pragma: no cover (ATM no tests covering that) smtp.login(self.user, self.password) failed_recipients = smtp.sendmail(