If you have big productions systems it is mostly 2.0 or 1.6 
Is there a Werk # for that?
The only werk that is published is this one:
And it explicitly states:
“Please also note that this feature only applies to {{check_mailboxes}} for now.”
We’re talking about the mail loop check, though. Is there a commit for this one, too?
We’re using version 2.1.
I don’t think so. Inside the github master branch (2.2) you don’t see anything related to this problem. The whole active checks folder was not changed the last half year.
@Sara @TLI
Does anybody work on “mail_loop” Modern Auth support, is this even included in a work item at Tribe29, or will Modern Auth only work for check_mailboxes for the forseeable future, none of the other checks that reference email credentials (in our case, mail_loop)?
1 Like
We use mail_loop, too, and would really like to see Modern Auth support for it.
Hi,
Have you already checked this?
Yes, a few posts above, in this very thread.
To quote myself:
And it explicitly states:
“Please also note that this feature only applies to {{check_mailboxes}} for now.”
Sorry. I overlooked it. Let me get you some answers.
Update:
I checked in 2.2.0b1 and OAuth2 support is not added to check_mail_loop yet. On check_mailboxes and check_mail it looks like the following at the moment:
--fetch-server ADDRESS
Host address of the IMAP/POP3/EWS server hosting your mailbox
--fetch-username USER
Username to use for IMAP/POP3/EWS
--fetch-email-address EMAIL-ADDRESS
Email address (default: same as username, only effects EWS protocol)
--fetch-password PASSWORD
Password to use for IMAP/POP3/EWS
--fetch-client-id CLIENT_ID
OAuth2 ClientID for EWS
--fetch-client-secret CLIENT_SECRET
OAuth2 ClientSecret for EWS
--fetch-tenant-id TENANT_ID
OAuth2 TenantID for EWS
Will check internally on this further and keep you posted.
1 Like
So, what did you find out? I realize there are All Hands On Deck for finalizing 2.2.0 at the moment, but can you tell us whether this is on any roadmap, work item, however you want to call it?
Sorry for my late response. Yes, we are definitely quite busy with 2.2.
The OAuth2 support in check_mailboxes is only possible with the “Main Receiving = EWS”
I have already discussed about check_mail_loop with our Project management team and its still in progress.
We have put it on our roadmap for Checkmk 2.3 and while I can’t promise it, I think we will also backport this to Checkmk 2.2.
With the release of Checkmk 2.2 done, we now have time to start tackling this issue.
1 Like
After looking into the problem, would using EWS instead of IMAP/SMTP not make much more sense, when checking Microsoft mail products?
Because with check_mailboxes, that’s how we did that. And then we could roll that change out to check_mail and check_mail_loop
We’ll try to schedule this issue for development as soon as possible. Therefore, we’re currently refining the solution’s exact specifications.
@andreas-doehler, @bitwiz, @Norm: When it comes to monitoring Microsoft e-mail services, would it be sufficient to support EWS with OAuth2, or would you require OAuth2 for IMAP/SMTP, too?
The former would allow us to roll out the changes we already applied to check_mailboxes to check_mail and check_mail_loop, too.
Well, for us it’s pretty simple - I don’t particularly care about the protocols, I just want to be able to confirm that I can send and receive an email to/from O365 (given that most customers are hosted there). If check_mail_loop can do this purely through EWS, then everything is fine.
Currently a command of ours looks like this:
check_mk_active-mail_loop!'--smtp-server=$HOSTADDRESS$' '--smtp-tls' '--fetch-protocol=IMAP' '--fetch-server=outlook.office365.com' '--fetch-tls' '--fetch-username=mailtest2@customer.domain' '--fetch-password=testmail2' '--mail-from=mailtest1@customer.domain' '--mail-to=customer-loop@gmx.de' '--delete-messages' '--status-suffix=customer-domain.mail.protection.outlook.com-Exchange-GMX-Exchange' '--warning=300' '--critical=600'
And this (obviously) fails with “Failed to connect to outlook.office365.com:993: error(b’LOGIN failed.')”
If we can implement a way to talk to O365 in order to send an email or to verify its existence in a mailbox (and delete it!) then that’s all we need.
Hello, you should keep in mind that EWS is deprecated for O365.
Instead the new graph api can be used.
See: Upcoming API Deprecations in Exchange Web Services for Exchange Online
Thanks a lot for your feedback!
As we already support EWS in check_mailboxes, we’ll be able to transfer it to check_mail and check_mail_loop rather quickly. Therefore, we decided to add the EWS support to these two for now - despite the prospect of deprecation. But you are right, we will definitely have to keep this in mind in the long run.
Support for EWS with OAuth2 has been implemented for check_mail and check_mail_loop and will be available in Checkmk 2.1.0p36 and 2.2.0p12.
For details, please see Werk #16034.
3 Likes
Hello @Niklas ,
functionality works as expected, however following Werk #16043 the IMAP call now deletes all emails from INBOX. Reproduced with on-prem MS Exchange and HCL Domino mailboxes (so completely different vendors and IMAP server implementations).
This should be checked as I don’t think this is the expected behavior - otherwise there would be no point in the custom mail subjects created by the loop check if you delete everything anyway on every check interval.
tcpdump confirms that with 2 mails in INBOX (1 relevant to the mail loop check, with agreed upon sender and subject, and 1 “legitimate” email with entirely different sender and subject)
the check_mail_loop fetches both emails and then proceeds to delete both of them instead of only the one it should care about.
This is a data loss bug introduced with werk #16043
AAHK0 CAPABILITY
AAHK1 LOGIN CMK-Mailloop "MySecretPassword"
AAHK2 SELECT INBOX
AAHK3 SEARCH NOT DELETED
AAHK4 FETCH 1 (RFC822)
AAHK5 FETCH 2 (RFC822)
AAHK6 STORE 1 +FLAGS (\Deleted)
AAHK7 STORE 2 +FLAGS (\Deleted)
AAHK8 EXPUNGE
AAHK9 CLOSE
Hi bitwiz, thanks for your feedback. We’ll create an internal ticket to have a closer look and let you know once we have any news.