Sophos UTM: Monitoring the mail queues

I have already received a few emails regarding the monitoring of Sophos Email Protection. As I also use email protection in my private environment, this topic is also of interest to me.

The UTM Mail Manager already provides a very useful overview:

However, it is not very practical to have this overview permanently open in the browser, especially as most companies also use monitoring software.

I use the PRTG software for monitoring, so there is also a corresponding script for a PRTG sensor in this article.

From the emails I have received, most people (like me) are most interested in being informed about the status of SMTP queues. So basically these three values:

Unfortunately, the status of the queues cannot be queried via SNMP or RestAPI, so the only remaining options for obtaining the values are SSH (shell access) or screen parsing. I have decided to use SSH and shell access.

It's not necessarily nice when I log in to the UTM via SSH, but at least it's relatively easy to get the number of mails in the SMTP queues.

In order to get the values, I have created a small PowerShell script which establishes the connection to the UTM via SSH. The connection is established with the user "loginuser". Root access is not required by the script.

The following settings are required in the configuration of the UTM for shell access to work:

Under "Allowed networks", you can restrict which networks or hosts have access to the SSH shell of the UTM. In my case, this is only the internal network and the server that executes the script.

The UTM sends an e-mail to the administrator every time an SSH login is successful. In this case it is therefore necessary to switch off the e-mail notification for successful SSH logins, as otherwise a warning is sent by e-mail every time the script is run:

SNMP traps can still be used, the trap receiver can be configured so that successful logins from the IP of the host (which executes the script) are not immediately regarded as problematic (SIEM systems).

The preparation of the UTM is now complete, we will continue with the actual PowerShell script.

PowerShell script for reading the UTM mail queues

The Posh-SSH module is required so that the SMTP queues of the UTM can be read out. This module enables an SSH connection to be established using PowerShell. On current Windows operating systems, the module can be installed quickly using NuGet:

Install modules Posh-SSH

The following script can now be used to read the mails of the SMTP queues, the first three lines must be adapted to your own environment (login user usually does not need to be changed):

$UTMHostNameorIP = "utm.domain.local"
$Loginuser = "loginuser"
$LoginUserPassword = "SecurePassword1"
$LoginUserPasswordSec = ConvertTo-SecureString $LoginUserPassword -AsPlainText -Force
$LoginCreds = New-Object System.Management.Automation.PSCredential($Loginuser,$LoginUserPasswordSec)
#Connect SSH Session
try {
$ConnectSSHSession = New-SSHSession -ComputerName $UTMHostNameorIP -Credential $LoginCreds -AcceptKey:$true
}
catch {
write-host "Can't connect to UTM"
}
#Query Quarantine
try {
$StrQuarantine = (Invoke-SSHCommand -Command "find /var/storage/chroot-smtp/spool/quarantine -type f | wc -l" -Index $ConnectSSHSession.SessionId).Output
[int]$Quarantine = [convert]::ToInt32($StrQuarantine, 10)
}
catch {
write-host "Can't query Quarantine mails"
}
if ($Quarantine -eq 1 -or $Quarantine -eq 0) {
$Quarantine = 0
} else {
$Quarantine = ($Quarantine -1)/2
}
#Query Output Queue (Spool)
try {
$StrOutput = (Invoke-SSHCommand -Command "find /var/storage/chroot-smtp/spool/output -type f | wc -l" -Index $ConnectSSHSession.SessionId).Output
[int]$Output = [convert]::ToInt32($StrOutput, 10)
}
catch {
write-host "Can't query Output (spool) mails"
}
if ($Output -eq 1 -or $Output -eq 0) {
$Output = 0
} else {
$Output = ($Output -1)/2
}
#Query corrupt queue
try {
$StrCorrupt = (Invoke-SSHCommand -Command "find /var/storage/chroot-smtp/spool/corrupt -type f | wc -l" -Index $ConnectSSHSession.SessionId).Output
[int]$Corrupt = [convert]::ToInt32($StrCorrupt , 10)
}
catch {
write-host "Can't query corrupt mails"
}
if ($Corrupt -eq 1 -or $Corrupt -eq 0) {
$Corrupt = 0
} else {
$Corrupt = ($Corrupt -1)/2
}
#Disconnect SSH session
$DisconnectSSHSession = Remove-SSHSession -Index $ConnectSSHSession.SessionId
#Write Results
write-host "Mails in Quarantine: $Quarantine"
write-host "Mails in Spool Queue: $Output"
write-host "Corrupt Mails: $Corrupt"

The script establishes an SSH connection with the specified user and password to the UTM, reads the number of files from the corresponding spool directories and calculates the number of mails in the queues. Each mail in the respective queue directory consists of 2 files (SMTP header and body), and there is also a lock file in the queue directory. This is taken into account by the script and calculated accordingly.

Here is the output of the script:

For comparison, the values in the UTM mail manager:

The values of the queues are written in variables and can be reused as required.

Monitoring the UTM mail queues with PRTG

I have modified the previous general script slightly so that it can be used to create a PRTG sensor. The first lines must be adapted to your own environment (login user, password and UTM host name). The PoshSSH module on the PRTG server is also required for this script.

Here is the script for a PRTG sensor:

#User with Shell Access to Sophos UTM:
$Loginuser = "loginuser"
#Password for Loginuser:
$LoginUserPassword = "SecretPassword1"
$UTMHostnameorIP = "utm.domain.local"
#Create Credential Object
$LoginUserPasswordSec = ConvertTo-SecureString $LoginUserPassword -AsPlainText -Force
$LoginCreds = New-Object System.Management.Automation.PSCredential($Loginuser,$LoginUserPasswordSec)
#Confirm Powershell Version.
if ($PSVersionTable.PSVersion.Major -lt 3) {
Write-Output ""
Write-Output "1"
Write-Output "Powershell Version is $($PSVersionTable.PSVersion.Major) Requires at least 3. "
Write-Output ""
Exit
}
#Connect SSH Session
try {
$ConnectSSHSession = New-SSHSession -ComputerName $UTMHostnameorIP -Credential $LoginCreds -AcceptKey:$true
}
catch {
Write-Output ""
Write-Output "1"
Write-Output "Can't connect to UTM"
Write-Output ""
Exit
}
#Query Quarantine
try {
$StrQuarantine = (Invoke-SSHCommand -Command "find /var/storage/chroot-smtp/spool/quarantine -type f | wc -l" -Index $ConnectSSHSession.SessionId).Output
[int]$Quarantine = [convert]::ToInt32($StrQuarantine, 10)
}
catch {
Write-Output ""
Write-Output "1"
Write-Output "Can't query Qurantine mails"
Write-Output ""
Exit
}
if ($Quarantine -eq 1 -or $Quarantine -eq 0) {
$Quarantine = 0
} else {
$Quarantine = ($Quarantine -1)/2
}
#Query Output Queue (Spool)
try {
$StrOutput = (Invoke-SSHCommand -Command "find /var/storage/chroot-smtp/spool/output -type f | wc -l" -Index $ConnectSSHSession.SessionId).Output
[int]$Output = [convert]::ToInt32($StrOutput, 10)
}
catch {
Write-Output ""
Write-Output "1"
Write-Output "Can't query Output (spool) mails"
Write-Output ""
Exit
}
if ($Output -eq 1 -or $Output -eq 0) {
$Output = 0
} else {
$Output = ($Output -1)/2
}
#Query corrupt queue
try {
$StrCorrupt = (Invoke-SSHCommand -Command "find /var/storage/chroot-smtp/spool/corrupt -type f | wc -l" -Index $ConnectSSHSession.SessionId).Output
[int]$Corrupt = [convert]::ToInt32($StrCorrupt , 10)
}
catch {
Write-Output ""
Write-Output "1"
Write-Output "Can't query corrupt mails"
Write-Output ""
Exit
}
if ($Corrupt -eq 1 -or $Corrupt -eq 0) {
$Corrupt = 0
} else {
$Corrupt = ($Corrupt -1)/2
}
#Disconnect SSH session
$DisconnectSSHSession = Remove-SSHSession -Index $ConnectSSHSession.SessionId
#Write Results
write-host ""
Write host ""
Write host "Qurantine Mails"
Write host "$($Quarantine)"
Write-Host ""
Write host ""
Write host "Spooled Mails"
Write host "$($Output)"
Write host ""
Write host ""
Write host "Corrupt Mails"
Write host "$($Corrupt)"
Write host ""
write-host ""

The script can be copied to the PRTG Curstom Sensors\EXEXML directory after customization:

Before a sensor is created, the script can be tested once and a corresponding PRTG structure should be returned:

If the test is successful, a new sensor can be created:

"Program/Script (Advanced)" is selected as the sensor type:

The new sensor is given a descriptive name and the previously created PS1 file is selected under "Program/Script":

A short time later, the sensor should already be delivering the values, which can now be improved a little:

With corresponding settings for the threshold values of the channels (switch on alarm based on limit values), threshold values for warning and error states can also be entered here for each channel:

Here is a finished view:

Unfortunately, as already mentioned, the login via SSH on the UTM is not so nice. Here you should also think about the notification, if the UTM spools a lot of mails, it could also be because the Exchange server can no longer accept mails. In this case, a notification via SMS would make more sense than via email.