Email notifications using smtp-relay.gmail.com

17 views
Skip to first unread message

CRiaks

unread,
Mar 14, 2026, 4:24:11 PM (2 days ago) Mar 14
to Wazuh | Mailing List
Hi team,

I would like to configure Wazuh to send email notifications when a rule above level 12 is triggered.
I already read this documentation and this blog post but I don't want to install postfix packages on this server.

This is my configuration from ossec.conf:
  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>no</logall>
    <logall_json>no</logall_json>
    <email_notification>yes</email_notification>
    <smtp_server>smtp-relay.gmail.com</smtp_server>
    <email_from>wa...@company.com</email_from>
    <email_to>i...@company.com</email_to>
    <email_maxperhour>50</email_maxperhour>
    <email_log_source>alerts.log</email_log_source>
    <agents_disconnection_time>15m</agents_disconnection_time>
    <agents_disconnection_alert_time>0</agents_disconnection_alert_time>
    <update_check>yes</update_check>
  </global>

I managed to configure smtp-relay.gmail.com as a sender in opensearch so I thought it would be possible in wazuh configuration too.

Regards

hasitha.u...@wazuh.com

unread,
Mar 15, 2026, 4:53:45 AM (yesterday) Mar 15
to Wazuh | Mailing List

Hi CRiaks,

Yes, you are right.

Wazuh’s built-in mailer, wazuh-maild, does not support authenticated SMTP. Because of that, it cannot send email directly through providers like Gmail or Microsoft 365, which usually require authentication.
Ref: https://documentation.wazuh.com/current/user-manual/manager/alert-management.html

So even if smtp-relay.gmail.com works in OpenSearch, it does not mean it will work in Wazuh. OpenSearch can use components that support SMTP authentication, but Wazuh’s native mailer cannot.

I have tested and received this error if I send an email without using authentication in Notification.

[status_exception] {"event_status_list": [{"config_id":"_pWi8JwB2PbRSzNsJatp","config_type":"email","config_name":"temp-test","email_recipient_status":[{"recipient":"hassy...@gmail.com","delivery_status":{"status_code":"502","status_text":"sendEmail Error, status:530-5.7.0 Authentication Required. For more information, go to\n530 5.7.0 https://support.google.com/accounts/troubleshooter/2402620. d9443c01a7336-2aece858d18sm72958535ad.86 - gsmtp\n"}}],"delivery_status":{"status_code":"502","status_text":"sendEmail Error, status:530-5.7.0 Authentication Required. For more information, go to\n530 5.7.0 https://support.google.com/accounts/troubleshooter/2402620. d9443c01a7336-2aece858d18sm72958535ad.86 - gsmtp\n"}}]}

This means Gmail accepted the connection, but rejected the message because no valid SMTP authentication was provided.

I have found a GitHub issue that explains the workaround to achive this.
Additionally, check this reference to use Wazuh indexer-based email alerting.

To make email alerts work, you need to use a mail relay in between. The most common option is Postfix, which handles authentication and TLS, while Wazuh only sends mail locally without authentication.

  • If you are using Wazuh server email alerting, Postfix needs to be installed on the Wazuh server node.

  • If you are using the OpenSearch Notification plugin, then the email is being sent from the indexer node, so Postfix should be configured on the indexer node and used as localhost.(if you use SMTP relay)
    Otherwise, you need to configure authentication in Wazuh indexer side as mentioned in the links.

Let me know if you need help with that setup.

Reply all
Reply to author
Forward
0 new messages