wazuh does not send emails

[Matias]

Hello Wazuh team, i have a problem..

I configured postfix to send emails with authentication and it works correctly, I perform the test suggested in the documentation and it is correct

I also configured the osse.conf (attached screenshot) but I couldn't receive the alerts.

What configuration am I missing?

[Carlos Dams]

Hi Matias,

Thanks for using Wazuh!

Did you follow the documentation from the article SMTP server with authentication and the step 6 which is Test the configuration was successful?

The screenshot you shared is very helpful, 

I noticed you have the label <level>4 </level>  and I assume you are expecting to receive alerts from level 4 and above, however, the <email_alert_level>11</email_alert_level> will only allow emails from level 11 and above.

What I recommend you to do is to test with a rule that you can trigger the alert easily, you will overwrite this rule following article: Change the rules and add <options>alert_by_email</options> which will force the alert to be sent

An example of a simple rule is rule id 5710 which is "sshd: Attempt to login using a non-existent user"

Another option to test the emails from Wazuh is to decrease the <email_alert_level>11</email_alert_level> to a lower value like 7 and change the <level>4 </level>  to 7 too since it must be at same or above level.

I hope this information addresses the issue you are experiencing, please let me know

[Matias]

Dear, thank you very much for the answer, taking into account what you told me, I put all the alerts at level 4 so that many emails start to arrive but nothing happens

[Matias]

I also add these captures to verify that the postfix works well

[Carlos Dams]

Hi Matias, 

When you tested using echo "Test mail from postfix" | mail -s "Test Postfix" -r "y...@example.com" y...@example.com did you receive the email?

Did you restart the Wazuh manager after applying the changes on the main configuration file?

Execute ss -ltnu on the Wazuh Manager host to check if localhost is listening on port 25, you can attach the result here to help you with that

[Matias]

Thank you very much for your answer.
As I show in the screenshot, the test email arrives without a problem.

Now that you mention, we use port 9025 instead of 25, could that be?
I attach the screenshot

[Carlos Dams]

Hi Matias,

Thanks for the screenshot and the additional information,

Yes, that is definitely a problem since Wazuh will try to communicate on port 25

However, when I see the screenshot there is something listening on port 25 which I think is postfix, is the smtp relay postfix on the same host of the Wazuh Server or is it on a different host?

I was checking again your first screenshot and I noticed you have a domain in <smtp_server> , let's try changing that value to localhost, change that line for <smtp_server>localhost</smtp_server>

Try that way before making any change on postfix, also if you are still not receiving email alerts, share the /var/ossec/logs/ossec.log and /var/log/maillog for me to take a look

[Carlos Dams]

Hi Matias,

Probably there was a misunderstanding in my previous message, you should have:

• postfix on port 25
• Under /var/ossec/etc/ossec.conf  have <smtp_server>localhost</smtp_server> instead of  <smtp_server>xxxxxx.com.uy</smtp_server> that I could notice from the first screenshot

I checked the logs and it seems you changed the smtp_server to localhost which is correct wazuh-maild: ERROR: (1223): Error Sending email to 127.0.0.1 (smtp server), however, it is still necessary to change the port for postfix to well known smtp port 25

On Wednesday, November 30, 2022 at 11:54:39 AM UTC-3 mmarr...@gmail.com wrote:

I changed the port that the localhost listens to 9025 and I was not successful, I am attaching what you requested

[Matias]

Carlos you helped me a lot.
It was working correctly.

Thank you so much

[Carlos Dams]

Thanks for that update! 

Glad it is working!