OSSEC with MSMTP client

[Vlad Ghita]

Hi all,

Can you please tell me if I can use OSSEC v2.9 with MSMTP mailer? I tried to use it like this in ossec.conf file but doesn't work:

<smtp_server> msmtp -v --timeout 20 -f "tvlc.r...@gmail.com" -t</smtp_server>

and this is an example of how I use msmtp to send mail:

echo "To:vlad....@gmail.com
Cc:
Bcc:
Subject:TEST MAIL
Content-Type: text/html;
<html>
<head>
<title>TITLE</title>
<BR>this is a test mail</BR>
</head>
</html>" | msmtp -v --timeout 10 -f "ma...@example.com" -t "vlad....@gmail.com"

What do I do wrong? Please help me to get this work, I really want to have OSSEC working with this. Thank you!

Vlad

[dan (ddp)]

On Thu, Jun 23, 2016 at 8:15 AM, Vlad Ghita <vlad....@gmail.com> wrote:
> Hi all,
>
> Can you please tell me if I can use OSSEC v2.9 with MSMTP mailer? I tried to
> use it like this in ossec.conf file but doesn't work:
>
> <smtp_server> msmtp -v --timeout 20 -f "tvlc.r...@gmail.com"
> -t</smtp_server>
>

That change should be in 2.9, but I think you need the path to the
msmtp binary in the configuration.

> and this is an example of how I use msmtp to send mail:
>
> echo "To:vlad....@gmail.com
> Cc:
> Bcc:
> Subject:TEST MAIL
> Content-Type: text/html;
> <html>
> <head>
> <title>TITLE</title>
> <BR>this is a test mail</BR>
> </head>
> </html>" | msmtp -v --timeout 10 -f "ma...@example.com" -t
> "vlad....@gmail.com"
>
> What do I do wrong? Please help me to get this work, I really want to have
> OSSEC working with this. Thank you!
>
> Vlad
>

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-dev+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Vlad Ghita]

Actually I've looked in the sources and noticed that '/' char is mandatory, so I've put the full path, like this:

<smtp_server>/usr/local/bin/msmtp -v --timeout 20 -f "exped...@gmail.com" -t</smtp_server>

Still, no email sent. Also, the strange fact si I have no error message from OSSEC. Is this feature fully supported?

On Thursday, June 23, 2016 at 3:21:10 PM UTC+3, Vlad Ghita wrote:

Hi all,

Can you please tell me if I can use OSSEC v2.9 with MSMTP mailer? I tried to use it like this in ossec.conf file but doesn't work:

<smtp_server> msmtp -v --timeout 20 -f "expediteur@gmail.com" -t</smtp_server>

and this is an example of how I use msmtp to send mail:

echo "To:desti...@gmail.com

Cc:
Bcc:
Subject:TEST MAIL
Content-Type: text/html;
<html>
<head>
<title>TITLE</title>
<BR>this is a test mail</BR>
</head>

</html>" | msmtp -v --timeout 10 -f "ma...@example.com" -t "desti...@gmail.com"

What do I do wrong? Please help me to get this work, I really want to have OSSEC working with this. Thank you!

Vlad

[dan (ddp)]

On Thu, Jun 23, 2016 at 10:56 AM, Vlad Ghita <vlad....@gmail.com> wrote:
> Actually I've looked in the sources and noticed that '/' char is mandatory,
> so I've put the full path, like this:
>
> <smtp_server>/usr/local/bin/msmtp -v --timeout 20 -f "exped...@gmail.com"
> -t</smtp_server>
>
> Still, no email sent. Also, the strange fact si I have no error message from

Are there any logs from msmtp?

> OSSEC. Is this feature fully supported?
>

Define "fully supported."

>
> On Thursday, June 23, 2016 at 3:21:10 PM UTC+3, Vlad Ghita wrote:
>>
>> Hi all,
>>
>> Can you please tell me if I can use OSSEC v2.9 with MSMTP mailer? I tried
>> to use it like this in ossec.conf file but doesn't work:
>>

>> <smtp_server> msmtp -v --timeout 20 -f "exped...@gmail.com"

>> -t</smtp_server>
>>
>> and this is an example of how I use msmtp to send mail:
>>
>> echo "To:desti...@gmail.com
>> Cc:
>> Bcc:
>> Subject:TEST MAIL
>> Content-Type: text/html;
>> <html>
>> <head>
>> <title>TITLE</title>
>> <BR>this is a test mail</BR>
>> </head>
>> </html>" | msmtp -v --timeout 10 -f "ma...@example.com" -t
>> "desti...@gmail.com"
>>
>> What do I do wrong? Please help me to get this work, I really want to have
>> OSSEC working with this. Thank you!
>>
>> Vlad
>

[Vlad Ghita]

Yes, I've enabled logging for MSMTP and it seems it doesn't even get called (I see no error nor sent email in its logs). Also in OSSEC logs there is no error, still the mail doesn't get sent.
Should I open an issue regarding to this or is there something I'm doing wrong (maybe inside <smtp_server> tag)? Thank you!

On Thursday, June 23, 2016 at 6:16:03 PM UTC+3, ddp...@gmail.com wrote:

On Thu, Jun 23, 2016 at 10:56 AM, Vlad Ghita <vlad....@gmail.com> wrote:
> Actually I've looked in the sources and noticed that '/' char is mandatory,
> so I've put the full path, like this:
>
> <smtp_server>/usr/local/bin/msmtp -v --timeout 20 -f "exped...@gmail.com"
> -t</smtp_server>
>
> Still, no email sent. Also, the strange fact si I have no error message from

Are there any logs from msmtp?

> OSSEC. Is this feature fully supported?
>

Define "fully supported."

>
> On Thursday, June 23, 2016 at 3:21:10 PM UTC+3, Vlad Ghita wrote:
>>
>> Hi all,
>>
>> Can you please tell me if I can use OSSEC v2.9 with MSMTP mailer? I tried
>> to use it like this in ossec.conf file but doesn't work:
>>
>> <smtp_server> msmtp -v --timeout 20 -f "exped...@gmail.com"
>> -t</smtp_server>
>>
>> and this is an example of how I use msmtp to send mail:
>>

>> echo "To:dest...@gmail.com

[dan (ddp)]

On Fri, Jun 24, 2016 at 6:53 AM, Vlad Ghita <vlad....@gmail.com> wrote:
> Yes, I've enabled logging for MSMTP and it seems it doesn't even get called
> (I see no error nor sent email in its logs). Also in OSSEC logs there is no
> error, still the mail doesn't get sent.
> Should I open an issue regarding to this or is there something I'm doing
> wrong (maybe inside <smtp_server> tag)? Thank you!
>

I've never used the feature, so I'm not sure what else to try.

[dan (ddp)]

On Fri, Jun 24, 2016 at 7:25 AM, dan (ddp) <ddp...@gmail.com> wrote:
> On Fri, Jun 24, 2016 at 6:53 AM, Vlad Ghita <vlad....@gmail.com> wrote:
>> Yes, I've enabled logging for MSMTP and it seems it doesn't even get called
>> (I see no error nor sent email in its logs). Also in OSSEC logs there is no
>> error, still the mail doesn't get sent.
>> Should I open an issue regarding to this or is there something I'm doing
>> wrong (maybe inside <smtp_server> tag)? Thank you!
>>
>
> I've never used the feature, so I'm not sure what else to try.
>

And now I have.
Here is my msmtprc:
root@earth:~# more /etc/msmtprc
##
# Set default values for all following accounts.
defaults
account test
host ix.example.com
from tes...@earth.example.com

logfile /tmp/msmtp.log

# Set a default account
account default: test
##

The relevant ossec.conf:
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>d...@ix.example.com</email_to>
<smtp_server>/usr/bin/msmtp -v --timeout 20 -f
"os...@earth.example.com" -t</smtp_server>
<email_from>ossecm@earth</email_from>
</global>


And the msmtp.log:
root@earth:~# tail /tmp/msmtp.log
Jun 24 07:45:55 host=ix.example.com tls=off auth=off
from=os...@earth.example.com recipients=d...@ix.example.com
mailsize=360 smtpstatus=250 smtpmsg='250 2.0.0: 64451456 Message
accepted for delivery' exitcode=EX_OK
Jun 24 07:46:40 host=ix.example.com tls=off auth=off
from=os...@earth.example.com recipients=d...@ix.example.com
mailsize=681 smtpstatus=250 smtpmsg='250 2.0.0: 4e51873b Message
accepted for delivery' exitcode=EX_OK

You can use tcpdump on your ossec server to see if it's attempting to
connect to anything.

[Antonio Querubin]

On Fri, 24 Jun 2016, Vlad Ghita wrote:

> Yes, I've enabled logging for MSMTP and it seems it doesn't even get called
> (I see no error nor sent email in its logs). Also in OSSEC logs there is no
> error, still the mail doesn't get sent.
> Should I open an issue regarding to this or is there something I'm doing
> wrong (maybe inside <smtp_server> tag)? Thank you!
>
> On Thursday, June 23, 2016 at 6:16:03 PM UTC+3, ddp...@gmail.com wrote:
>>
>> On Thu, Jun 23, 2016 at 10:56 AM, Vlad Ghita <vlad....@gmail.com
>> <javascript:>> wrote:
>>> Actually I've looked in the sources and noticed that '/' char is
>> mandatory,
>>> so I've put the full path, like this:
>>>
>>> <smtp_server>/usr/local/bin/msmtp -v --timeout 20 -f "exped...@gmail.com

>> <javascript:>"

>>> -t</smtp_server>
>>>
>>> Still, no email sent. Also, the strange fact si I have no error message
>> from

smtp_server can only be a hostname or IP address. During startup, ossec
is probably complaining that the value doesn't resolve to an IP address
and ignoring it.

Antonio Querubin
e-mail: to...@lavanauts.org
xmpp: antonio...@gmail.com

[dan (ddp)]

This was changed in 2.9:
https://github.com/ossec/ossec-hids/pull/689

[Antonio Querubin]

Doh! Missed that. Never mind... :)

[Vlad Ghita]

Ok, it seems I have a more general issue, as I didn't get it to work even with a localhost postfix mailer. (with this setting <smtp_server>localhost</smtp_server>). As I have no mail in postfix queue, I suppose ossec never tries to send the alerts (even I have enabled email notifications: <email_notification>yes</email_notification>). The same configuration (ossec + postfix) worked fine with Ossec 2.8.3

I suppose it is related to this? "In order for this to work, maild needs to be started without chrooting as it traditionally has done. It will therefore no longer chroot if it detects a / at the start of smtp_server." from your link https://github.com/ossec/ossec-hids/pull/689

[dan (ddp)]

On Fri, Jun 24, 2016 at 8:15 AM, Vlad Ghita <vlad....@gmail.com> wrote:
> Ok, it seems I have a more general issue, as I didn't get it to work even
> with a localhost postfix mailer. (with this setting
> <smtp_server>localhost</smtp_server>). As I have no mail in postfix queue, I
> suppose ossec never tries to send the alerts (even I have enabled email
> notifications: <email_notification>yes</email_notification>). The same
> configuration (ossec + postfix) worked fine with Ossec 2.8.3
>

Are there any logs in the postfix log file that might be related?
Is ossec-maild running?

> I suppose it is related to this? "In order for this to work, maild needs to
> be started without chrooting as it traditionally has done. It will therefore
> no longer chroot if it detects a / at the start of smtp_server." from your
> link https://github.com/ossec/ossec-hids/pull/689
>

That should automagically happen if you configure maild to use a
program instead of a mail server.

> On Friday, June 24, 2016 at 3:08:07 PM UTC+3, Antonio Querubin wrote:
>>
>> On Fri, 24 Jun 2016, dan (ddp) wrote:
>>
>> > On Fri, Jun 24, 2016 at 7:56 AM, Antonio Querubin <to...@lavanauts.org>
>> > wrote:
>>
>> >> smtp_server can only be a hostname or IP address. During startup,
>> >> ossec is
>> >> probably complaining that the value doesn't resolve to an IP address
>> >> and
>> >> ignoring it.
>> >>
>> >
>> > This was changed in 2.9:
>> > https://github.com/ossec/ossec-hids/pull/689
>>
>> Doh! Missed that. Never mind... :)
>>
>> Antonio Querubin
>> e-mail: to...@lavanauts.org
>> xmpp: antonio...@gmail.com
>

[Vlad Ghita]

Yes, all services seem to work fine:

# /var/ossec/bin/ossec-control status
ossec-monitord is running...
ossec-logcollector is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild is running...
ossec-execd is running...

Postfix is working fine, btw I've compiled ossec 2.9 sources with TARGET=local.
One thing I've discovered is that smtp_server doesn't accept hostname but only IP address.
I recieve this, when I put <smtp_server>localhost</smtp_server>:
getaddrinfo: Name or service not known
ossec-maild(1223): ERROR: Error Sending email to localhost (smtp server)

If I change with <smtp_server>127.0.0.1</smtp_server>, it works.
Still no success with MSMTP :( but I've noticed you didn't use TLS in your test (tls=off auth=off)

[dan (ddp)]

On Fri, Jun 24, 2016 at 9:53 AM, Vlad Ghita <vlad....@gmail.com> wrote:
> Yes, all services seem to work fine:
>
> # /var/ossec/bin/ossec-control status
> ossec-monitord is running...
> ossec-logcollector is running...
> ossec-syscheckd is running...
> ossec-analysisd is running...
> ossec-maild is running...
> ossec-execd is running...
>
> Postfix is working fine, btw I've compiled ossec 2.9 sources with
> TARGET=local.
> One thing I've discovered is that smtp_server doesn't accept hostname but
> only IP address.
> I recieve this, when I put <smtp_server>localhost</smtp_server>:
> getaddrinfo: Name or service not known
> ossec-maild(1223): ERROR: Error Sending email to localhost (smtp server)
>

Sounds like it does the lookup after chroot, or your localhost entry
is misconfigured.

> If I change with <smtp_server>127.0.0.1</smtp_server>, it works.
> Still no success with MSMTP :( but I've noticed you didn't use TLS in your
> test (tls=off auth=off)
>

I don't use msmtp, so I tried a simple test to make sure the
functionality worked.

[rakesh...@eltropy.com]

@Vlad Ghita any luck in making it work ? I tried almost whole day yesterday but mail are not being sent at all. I don't see any error in ossec or mail being triggered from msmtp logs.

On Thursday, June 23, 2016 at 5:51:10 PM UTC+5:30, Vlad Ghita wrote:

Hi all,

Can you please tell me if I can use OSSEC v2.9 with MSMTP mailer? I tried to use it like this in ossec.conf file but doesn't work:

<smtp_server> msmtp -v --timeout 20 -f "tvlc.r...@gmail.com" -t</smtp_server>

and this is an example of how I use msmtp to send mail:

echo "To:vlad...@gmail.com

Cc:
Bcc:
Subject:TEST MAIL
Content-Type: text/html;
<html>
<head>
<title>TITLE</title>
<BR>this is a test mail</BR>
</head>
</html>" | msmtp -v --timeout 10 -f "ma...@example.com" -t "vlad....@gmail.com"

What do I do wrong? Please help me to get this work, I really want to have OSSEC working with this. Thank you!

Vlad

[Vlad Ghita]

Yes, I managed to have it working. Make sure you use OSSEC v2.9, because this is the version which you can use with a client mailer without a server. And first of all, try to send some mails directly with MSMTP, maybe there are some troubles with its configuration (SMTP server, TLS etc)