SMTP Server with Authentication not working via postfix

[Renan Rivera]

Hello Guys,

I would like to request assistance on setting up the SMTP server authentication.

SMTP Server Use: Outlook

OS Server : Oracle Linux

First of all, I have no problem the past months with my initial setup which is just a simple configuration in ossec.cfg:

<global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>no</logall>
    <logall_json>yes</logall_json>
    <email_notification>yes</email_notification>
    <smtp_server>xxxxx360-com.mail.protection.outlook.com</smtp_server>
    <email_from>XX...@xxxxx360.com</email_from>
    <email_to>A...@xxxxx360.com</email_to>
    <email_maxperhour>12</email_maxperhour>
    <email_log_source>alerts.log</email_log_source>
    <agents_disconnection_time>10m</agents_disconnection_time>    <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
  </global>

  <alerts>
    <log_alert_level>3</log_alert_level>
    <email_alert_level>12</email_alert_level>
  </alerts>

Until last 2 weeks, I've noticed that I have no longer alerts on my emails even thou there are events in wazuh security.

I've check logs and there is an error rcpt to not accepted by server.

I read some documentation and I decided to change the configuration by setting up the SMTP server with authentication.

I followed the following steps:

1.) yum update && yum install postfix mailx cyrus-sasl cyrus-sasl-plain

2.) Configure Postfix in the /etc/postfix/main.cf file adding these lines to the end of the file:

relayhost = [xxxxx360-com.mail.protection.outlook.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtp_use_tls = yes

3.) Configure the email address and password:

 echo [shore360-com.mail.protection.outlook.com]:587 USER...@gmail.com:PASSWORD > /etc/postfix/sasl_passwd # postmap /etc/postfix/sasl_passwd # chmod 400 /etc/postfix/sasl_passwd

4. Secure the DB password: 

chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db

chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db

5.)  Restart Postfix:

6.)  Tried to send sample email thru postfix :

echo "Test mail from postfix" | mail -s "Test Postfix" x...@shore360.com

But I have not receive anything from this test. Also I've been looking for the logs of postfix  but I can't find them (no such file.)

/var/log/mail.log  

/var/log/maillog

I tried testing the wazuh alert and this is the new logs:

Jul 29, 2022 @ 16:46:36.000 wazuh-maild INFO  Getting alerts in log format.
Jul 29, 2022 @ 17:52:53.000 wazuh-maild INFO  (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
Jul 29, 2022 @ 17:53:04.000 wazuh-maild INFO  Started (pid: 28671).
Jul 29, 2022 @ 17:53:04.000 wazuh-maild INFO  Getting alerts in log format.
Jul 29, 2022 @ 17:53:22.000 wazuh-maild INFO  (1225): SIGNAL [(15)-(Terminated)] Received. Exit Cleaning...
Jul 29, 2022 @ 17:53:33.000 wazuh-maild INFO  Started (pid: 29576).
Jul 29, 2022 @ 17:53:33.000 wazuh-maild INFO  Getting alerts in log format.

Again I am not receiving any emails. On our smtp server, the IP is already whitelisted and also the email sender.

Please advise.

Thank you,

Renan

[Jonathan Martín Valera]

Hi,

You say that the alerts were sent correctly via email before, right? Has any configuration been changed recently? Either in the wazuh-manager or in the SMTP server?

Before starting debugging process in the wazuh-manager, I would try with the test messages until you get these messages sent and received correctly.

echo "Test mail from postfix" | mail -s "Test Postfix" -r "y...@example.com" y...@example.com

From here, if you receive these test emails and not the alerts, I would start with the wazuh-manager debugging.

Now, starting with the debugging of your SMTP server configuration, the easiest and fastest way would be to check if there has been any configuration change, IPs, DNSs … that could have caused the conflict and make it not work.

Surely, the postfix logs recorded in /var/log/maillog of your SMTP server host, can give you some more information, for example, I share some “error” logs after trying to send the test message:

Aug  1 11:03:28 mail2 postfix/bounce[53348]: warning: /etc/postfix/main.cf, line 745: overriding earlier entry: smtp_tls_CAfile=/etc/pki/tls/certs/ca-bundle.crt
Aug  1 11:03:28 mail2 postfix/smtp[53347]: 438D5188511C: to=<x...@hotmail.com>, relay=smtp.office365.com[40.x.138.x]:587, delay=5.4, delays=0.02/0.02/0.31/5, dsn=5.7.57, status=bounced (host smtp.office365.com[40.101.x.2] said: 530 5.7.57 Client not authenticated to send mail. [PR2P264CA0005.FRAP264.PROD.OUTLOOK.COM] (in reply to MAIL FROM command))
Aug  1 11:03:28 mail2 postfix/smtp[53347]: 438D5188511C: lost connection with smtp.office365.com[40.101.x.2] while sending RCPT TO
Aug  1 11:03:28 mail2 postfix/cleanup[53345]: A5A60188511D: message-id=<2022080111032...@mail2.localdomain>
Aug  1 11:03:28 mail2 postfix/qmgr[51743]: A5A60188511D: from=<>, size=2605, nrcpt=1 (queue active)
Aug  1 11:03:28 mail2 postfix/bounce[53348]: 438D5188511C: sender non-delivery notification: A5A60188511D
Aug  1 11:03:28 mail2 postfix/qmgr[51743]: 438D5188511C: removed

From this information, I would check configurations, connections … until you actually manage to send them.

x x 00:58:35 mwiapp01 postfix/smtp[26151]: 28D5A4078131: 
to=<som...@somecompany.com>, relay=example.outlook.com[104.47.100.36]:25, 
delay=7.8, delays=0.06/0.05/4.2/3.5, dsn=2.6.0, 
status=sent (250 2.6.0 <5f236cb4.kaTYiINfdbNN2Gyr%user...@gritfy.com> [InternalId=22905060593379, Hostname=MAXPR01MB4031.INDPRD01.PROD.OUTLOOK.COM] 8684 bytes in 0.610, 13.883 KB/sec Queued mail for delivery)
x x 00:58:35 mwiapp01 postfix/qmgr[25474]: 28D5A4078131: removed

Regarding your ossec.conf file configuration I don’t see anything strange, so I imagine that as soon as you solve the problems and configurations of your SMTP server, you should receive the alert emails. If this is not the case, do not hesitate to let me know so I can help you with that issue.

Best regards.

​

[Renan Rivera]

Hello Jonathan,

Thank you for responding to my email.

I have figured out the issue, the spamhaus.org has blocked the IP of my server. I already sent a request to whitelist my IP to this site.

I've noticed that sending through port 25 is blocked, so I've changed the port to TLS port 587. I tested outlook using port 25 and 587 (25-blocked, 587-not working). So what I did is I created a gmail email account just for this so that I can use the TLS port and emails are now successfully received.

It is strange that I don't see this log file - /var/log/maillog that makes it difficult for me to find the error message. 

My System Info:

Wazuh : Version 4.3.5

OS : Oracle Linux 8.6

Again thank you for your help Jonathan, really appreciate it.

Warm regards,

Renan

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/tbYixGJtpKQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/475ddbde-483f-4d11-9a1f-34f7b2c22964n%40googlegroups.com.