Alert email error

[Ray Wilson]

Team. I'm working to get an alert email from Wazuh.

We have our Axigen smtp server. Below is the steps I did:

1) Installed Postfix on Wazuh Manager server.

2) Configured smtp server name (mycompany.smtp.com port 25 myemail:password to login email) at postfix/sasl_passwd.

3) Configured Wazuh global settings. Enabled email alert.

But when I trying to send a test mail thru postfix, it now sending any email to recipient. I have mentioned the same email which at postfix to wazuh global.

When I check the logs, it shows
:

ossec-maild: ERROR:  (1223) : Error sending mail to 127.0.0.1 (smtp server)

ossec-maild: ERROR:  (1765) :RCPT TO not accepted by server - (myemai)

Please assist at which section I did mistake.

[Mauricio Ruben Santillan]

Hello Ray,

Thanks for using Wazuh!

According to our documentation in order to get Postfix working with Wazuh you need to set next piece of text into the file /etc/postfix/main.cf:

relayhost = [smtp.gmail.com]:587

smtp_sasl_auth_enable = yes

smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

smtp_sasl_security_options = noanonymous

smtp_tls_CAfile = /etc/ssl/certs/thawte_Primary_Root_CA.pem

smtp_use_tls = yes

NOTE: Make sure to set proper SMTP server and port in relayhost.

Then configure the email address and password:

echo [smtp.gmail.com]:587 USER...@gmail.com:PASSWORD > /etc/postfix/sasl_passwd

postmap /etc/postfix/sasl_passwd

chmod 400 /etc/postfix/sasl_passwd

NOTE: Make sure to set proper SMTP server and port in "echo" command.

Secure the DB password:

chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db

chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db

And finally restart Postfix:

systemctl reload postfix

Once all steps were performed, you should be able to test this running:

echo "Test mail from postfix" | mail -s "Test Postfix" -r "y...@example.com" y...@example.com

Then in Wazuh Manager configuration file (/var/ossec/etc/ossec.conf) you need to set next setttings:

<global>

  <email_notification>yes</email_notification>

  <smtp_server>localhost</smtp_server>

  <email_from>USER...@gmail.com</email_from>

  <email_to>y...@example.com</email_to>

</global>

Please notice that these settings already exists in the configuration file (almost at the top). Make sure to set them as recommended.

NOTE: I tested this configuration using both a Gmail and a Outlook account. Gmail didn't work but Outlook did without any problem.

Please let me know if you need further assistance!

[Mauricio Ruben Santillan]

Hello Ray,

Have you checked the mail log? It's usually located in /var/log/maillog or /var/log/mail.log.

Most surely it will tell you if there's something wrong with your mailbox.

As previously stated, I couldn't make this work using a Gmail account, but I did accomplish this using an old hotmail box (Outlook). This tells us that not all mailboxes are enabled to be used as SMTP server by default.

Could it be possible that you need to enable or configure something in your SMTP server?

Looking forward to your comments.

------------------------------------------------------------

Defence Technology

12:15 AM (13 hours ago)

Hi Mauricio,

Thank you for your reply. Really appreciate it.

I have done all the steps you've mentioned. I followed the exact Wazuh documentation which is the same as yours.

But it still not getting any test e-mail > echo "Test mail from postfix" | mail -s "Test Postfix" -r.

When I check the logs > /var/ossec/logs/ossec.log, it shows the error message which I have mentioned ,RCPT TO not accepted by server

We are using Axigen smtp server.