Issue with mail notification PostFix and Wazuh

[Matteo]

Hello everyone,

I'm on Wazuh 4.5.3

And I got an issue with mail notification on Wazuh.

This is my PostFix Config :

I did configure postfix like it is in the documentation and when I'm doing

    'echo "message" | mail -a "From: sender@domain" -s "Subject" me@domain'

It worked well, I'm receiving the test on my mail address.

So I did start to configure a channel to send notification.

Channel :

SMTP Sender :

Of course, I did put the mail address to send my mail.

Recipient group :

Same, I did put my mail address.

Now when I'm doing a test with the button, I got this error

And I don't understand why I got this error, I got it before when I was using the command line to test PostFix on the server.

And I did checkup my configuration that was wrong, and I did solve it quite easily.

But now I know that my configuration is good, so why ?

(If you don't understand something, or you want me to give more information, I will provide answer as fast as I can)

[Gabriel Diaz Lopez de la Llave]

hello! 

There are two email notification systems on Wazuh, one is tied to the manager and one is tied to the indexer/dashboard.

Reading your configuration steps, I guess you want to use the notification system of indexer/dashboard. The error is telling you the indexer is unable to connect to postfix in its localhost. 

Where did you install postfix? Is it in the same machine as indexer, dashboard, manager or on a 3rd party machine?

What you need to achieve is communication between the indexer and the postfix machine. One way is to install postfix on the indexer machine, then you will be able to use localhost as the SMTP server.  But I think if you install postfix on the manager, and then set the notifications to use the manager as SMTP server could make the same postfix work for both: the server and the indexer.

To do this, you need to ensure postfix is installed in the manager machine, and that it listens in the same IP address the manager uses to communicate with the indexer. Then, you can configure the indexer from the UI to use that address as the SMTP server.

slds.

Gabriel

[Matteo]

Thanks for replying so quickly !

For the installation, everything is on the same machine (PostFix and all Wazuh components)

So from what I understand Wazuh should be able to communicate with postfix because the indexer, the manager, and the dashboard are on the same machine as postfix.

[Gabriel Diaz Lopez de la Llave]

ok! Then we will need to diagnose the communications to ensure it is listening where it should.

I will start by checking that postfix is actually listening in the 587 port, for example using the ss command:

# ss -lnap | grep postfix

Also, I would check indexer logs, because there might be more information related to the error shown in the dashboard. The log files to check are in /var/log/wazuh-indexer

The SMTP port 587 is used with TLS, which certificates did you use? If there is an error validating the certificates when indexer connects, they should appear in the mentioned log files.

slds.

Gabriel

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/CWR4OWnNl0w/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9d9d643e-9ad4-4042-82cb-703b85d0b6dan%40googlegroups.com.

[Matteo]

I did check ss command, and it says unconnected, so I don't understand, and I'm sure it's because of this error that I can't send mail.

But I don't know how to resolve it maybe in main.cf ?

Or master.cf ?

And I have to check the log files, but I'm sure it will say nothing because of the unconnected error

[Gabriel Diaz Lopez de la Llave]

You can also test the connectivity from the indexer to your email server like:

openssl s_client -starttls smtp -connect your.postfix.host.com:587

where your.postfix.host.com can be a domain name or ip address. Because in this case everything is on the same machine, 

executing something like:

openssl s_client -starttls smtp -connect localhost:587

should succeed.

You can check your main.cf and search for the inet_interfaces configuration, that should look like

inet_interfaces = 127.0.0.1

slds.

Gabriel

[Matteo]

Thanks for all your answers it greatly helped me find out the solution

this is my main.cf config for all the people that have the same issue