wazuh mail alert not sending mail to multiple address
369 views
Skip to first unread message
Rimon Ahammed Bappy (Security Engineer L2)
Nov 22, 2023, 6:43:03 AM11/22/23
to Wazuh | Mailing List
Hello There,
I have configured smtp server and everything for wazuh mail alert. If i configure one <mail_to> secrtion it works porperly, but if i add multiple <mail_to> secrtion for multiple user, It doesn't send any mail.
Here is my config:
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>yes</email_notification>
<smtp_server>localhost</smtp_server>
<email_from>exa...@gmail.com</email_from>
<email_to>recep...@example.com</email_to>
<email_to> recep...@example.com </email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>no</logall>
<logall_json>no</logall_json>
<email_notification>yes</email_notification>
<smtp_server>localhost</smtp_server>
<email_from>exa...@gmail.com</email_from>
<email_to>recep...@example.com</email_to>
<email_to> recep...@example.com </email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
<agents_disconnection_time>10m</agents_disconnection_time>
<agents_disconnection_alert_time>0</agents_disconnection_alert_time>
</global>
Let me know where i am doing wrong. I need to send mail alert to multiple address.
Diego Mendez Sakugawa
Nov 22, 2023, 8:46:02 AM11/22/23
to Wazuh | Mailing List
Hello Rimon,
Could you please share with me the output of the /var/log/mail.log file or check what's the error?
It would help us detect, what's causing the error within each attempt.
Please remember to obfuscate any sensitive information from it.
Looking forward to your feedback!
Regards.
Rimon Ahammed Bappy (Security Engineer L2)
Nov 22, 2023, 11:20:35 PM11/22/23
to Wazuh | Mailing List
Hello Diego,
Nov 23 04:03:31 ip-172-31-12-230 postfix/smtpd[302212]: F2D0F142768: client=localhost[127.0.0.1]
Nov 23 04:03:32 ip-172-31-12-230 postfix/trivial-rewrite[302216]: warning: /etc/postfix/main.cf, line 52: overriding earlier entry: relayhost=
Nov 23 04:03:32 ip-172-31-12-230 postfix/trivial-rewrite[302216]: warning: /etc/postfix/main.cf, line 58: overriding earlier entry: smtpd_relay_restrictions=permit_mynetworks permit_sasl_authenticated defer_unauth_destination
Nov 23 04:03:32 ip-172-31-12-230 postfix/cleanup[302215]: F2D0F142768: message-id=<2023112304033...@ip-172-31-12-230.ap--1.compute.internal>
Nov 23 04:03:32 ip-172-31-12-230 postfix/qmgr[271404]: F2D0F142768: from=<sen...@example.com>, size=949, nrcpt=2 (queue active)
Nov 23 04:03:32 ip-172-31-12-230 postfix/smtpd[302212]: disconnect from localhost[127.0.0.1] helo=1 mail=1 rcpt=2 data=1 quit=1 commands=6
Nov 23 04:03:32 ip-172-31-12-230 postfix/smtp[302217]: warning: /etc/postfix/main.cf, line 52: overriding earlier entry: relayhost=
Nov 23 04:03:32 ip-172-31-12-230 postfix/smtp[302217]: warning: /etc/postfix/main.cf, line 58: overriding earlier entry: smtpd_relay_restrictions=permit_mynetworks permit_sasl_authenticated defer_unauth_destination
Nov 23 04:03:34 ip-172-31-12-230 postfix/bounce[302219]: warning: /etc/postfix/main.cf, line 52: overriding earlier entry: relayhost=
Nov 23 04:03:34 ip-172-31-12-230 postfix/bounce[302219]: warning: /etc/postfix/main.cf, line 58: overriding earlier entry: smtpd_relay_restrictions=permit_mynetworks permit_sasl_authenticated defer_unauth_destination
Nov 23 04:03:34 ip-172-31-12-230 postfix/smtp[302217]: F2D0F142768: to=<recep...@example.com>, relay=smtp.gmail.com[74.125.200.109]:587, delay=3, delays=0.06/0.12/1.9/0.92, dsn=5.7.1, status=bounced (host smtp.gmail.com[74.125.200.109] said: 550-5.7.1 This message is not RFC 5322 compliant. There are multiple To headers. 550-5.7.1 To reduce the amount of spam sent to Gmail, this message has been 550-5.7.1 blocked. Please visit 550-5.7.1 https://support.google.com/mail/?p=RfcMessageNonCompliant and review 550 5.7.1 RFC 5322 specifications for more information. fh31-20020a056a00391f00b006cb98a269f1sm246060pfb.125 - gsmtp (in reply to end of DATA command))
Nov 23 04:03:35 ip-172-31-12-230 postfix/smtp[302217]: F2D0F142768: to=<recep...@example.com>, relay=smtp.gmail.com[74.125.200.109]:587, delay=3, delays=0.06/0.12/1.9/0.92, dsn=5.7.1, status=bounced (host smtp.gmail.com[74.125.200.109] said: 550-5.7.1 This message is not RFC 5322 compliant. There are multiple To headers. 550-5.7.1 To reduce the amount of spam sent to Gmail, this message has been 550-5.7.1 blocked. Please visit 550-5.7.1 https://support.google.com/mail/?p=RfcMessageNonCompliant and review 550 5.7.1 RFC 5322 specifications for more information. fh31-20020a056a00391f00b006cb98a269f1sm246060pfb.125 - gsmtp (in reply to end of DATA command))
Nov 23 04:03:35 ip-172-31-12-230 postfix/cleanup[302215]: 009BA142F00: message-id=<2023112304033...@ip-172-31-12-230.ap--1.compute.internal>
Nov 23 04:03:35 ip-172-31-12-230 postfix/qmgr[271404]: 009BA142F00: from=<>, size=5100, nrcpt=1 (queue active)
Nov 23 04:03:35 ip-172-31-12-230 postfix/bounce[302219]: F2D0F142768: sender non-delivery notification: 009BA142F00
Nov 23 04:03:35 ip-172-31-12-230 postfix/qmgr[271404]: F2D0F142768: removed
Nov 23 04:03:35 ip-172-31-12-230 postfix/smtp[302217]: connect to smtp.gmail.com[2404:6800:4003:c04::6c]:587: Network is unreachable
Nov 23 04:03:37 ip-172-31-12-230 postfix/smtp[302217]: 009BA142F00: to=<sen...@example.com>, relay=smtp.gmail.com[74.125.200.109]:587, delay=2.9, delays=0.01/0.01/1.9/1, dsn=2.0.0, status=sent (250 2.0.0 OK 1700712217 jh9-20020a170903328900b001bf846dd2d0sm219768plb.13 - gsmtp)
Nov 23 04:03:37 ip-172-31-12-230 postfix/qmgr[271404]: 009BA142F00: removed
Nov 23 04:03:32 ip-172-31-12-230 postfix/trivial-rewrite[302216]: warning: /etc/postfix/main.cf, line 52: overriding earlier entry: relayhost=
Nov 23 04:03:32 ip-172-31-12-230 postfix/trivial-rewrite[302216]: warning: /etc/postfix/main.cf, line 58: overriding earlier entry: smtpd_relay_restrictions=permit_mynetworks permit_sasl_authenticated defer_unauth_destination
Nov 23 04:03:32 ip-172-31-12-230 postfix/cleanup[302215]: F2D0F142768: message-id=<2023112304033...@ip-172-31-12-230.ap--1.compute.internal>
Nov 23 04:03:32 ip-172-31-12-230 postfix/qmgr[271404]: F2D0F142768: from=<sen...@example.com>, size=949, nrcpt=2 (queue active)
Nov 23 04:03:32 ip-172-31-12-230 postfix/smtpd[302212]: disconnect from localhost[127.0.0.1] helo=1 mail=1 rcpt=2 data=1 quit=1 commands=6
Nov 23 04:03:32 ip-172-31-12-230 postfix/smtp[302217]: warning: /etc/postfix/main.cf, line 52: overriding earlier entry: relayhost=
Nov 23 04:03:32 ip-172-31-12-230 postfix/smtp[302217]: warning: /etc/postfix/main.cf, line 58: overriding earlier entry: smtpd_relay_restrictions=permit_mynetworks permit_sasl_authenticated defer_unauth_destination
Nov 23 04:03:34 ip-172-31-12-230 postfix/bounce[302219]: warning: /etc/postfix/main.cf, line 52: overriding earlier entry: relayhost=
Nov 23 04:03:34 ip-172-31-12-230 postfix/bounce[302219]: warning: /etc/postfix/main.cf, line 58: overriding earlier entry: smtpd_relay_restrictions=permit_mynetworks permit_sasl_authenticated defer_unauth_destination
Nov 23 04:03:34 ip-172-31-12-230 postfix/smtp[302217]: F2D0F142768: to=<recep...@example.com>, relay=smtp.gmail.com[74.125.200.109]:587, delay=3, delays=0.06/0.12/1.9/0.92, dsn=5.7.1, status=bounced (host smtp.gmail.com[74.125.200.109] said: 550-5.7.1 This message is not RFC 5322 compliant. There are multiple To headers. 550-5.7.1 To reduce the amount of spam sent to Gmail, this message has been 550-5.7.1 blocked. Please visit 550-5.7.1 https://support.google.com/mail/?p=RfcMessageNonCompliant and review 550 5.7.1 RFC 5322 specifications for more information. fh31-20020a056a00391f00b006cb98a269f1sm246060pfb.125 - gsmtp (in reply to end of DATA command))
Nov 23 04:03:35 ip-172-31-12-230 postfix/smtp[302217]: F2D0F142768: to=<recep...@example.com>, relay=smtp.gmail.com[74.125.200.109]:587, delay=3, delays=0.06/0.12/1.9/0.92, dsn=5.7.1, status=bounced (host smtp.gmail.com[74.125.200.109] said: 550-5.7.1 This message is not RFC 5322 compliant. There are multiple To headers. 550-5.7.1 To reduce the amount of spam sent to Gmail, this message has been 550-5.7.1 blocked. Please visit 550-5.7.1 https://support.google.com/mail/?p=RfcMessageNonCompliant and review 550 5.7.1 RFC 5322 specifications for more information. fh31-20020a056a00391f00b006cb98a269f1sm246060pfb.125 - gsmtp (in reply to end of DATA command))
Nov 23 04:03:35 ip-172-31-12-230 postfix/cleanup[302215]: 009BA142F00: message-id=<2023112304033...@ip-172-31-12-230.ap--1.compute.internal>
Nov 23 04:03:35 ip-172-31-12-230 postfix/qmgr[271404]: 009BA142F00: from=<>, size=5100, nrcpt=1 (queue active)
Nov 23 04:03:35 ip-172-31-12-230 postfix/bounce[302219]: F2D0F142768: sender non-delivery notification: 009BA142F00
Nov 23 04:03:35 ip-172-31-12-230 postfix/qmgr[271404]: F2D0F142768: removed
Nov 23 04:03:35 ip-172-31-12-230 postfix/smtp[302217]: connect to smtp.gmail.com[2404:6800:4003:c04::6c]:587: Network is unreachable
Nov 23 04:03:37 ip-172-31-12-230 postfix/smtp[302217]: 009BA142F00: to=<sen...@example.com>, relay=smtp.gmail.com[74.125.200.109]:587, delay=2.9, delays=0.01/0.01/1.9/1, dsn=2.0.0, status=sent (250 2.0.0 OK 1700712217 jh9-20020a170903328900b001bf846dd2d0sm219768plb.13 - gsmtp)
Nov 23 04:03:37 ip-172-31-12-230 postfix/qmgr[271404]: 009BA142F00: removed
Thanks for replying
Diego Mendez Sakugawa
Nov 23, 2023, 4:26:03 AM11/23/23
to Wazuh | Mailing List
Hello Rimon,
I can see that you're using the Gmail SMTP. In some email servers, there is a problem in the way the recipients of the message are constructed and that makes it not compliant with the standard.
Error for reference: This message is not RFC 5322 compliant. There are multiple To headers.
As an alternative you may consider these options:
- Wazuh's integration with external APIs: https://documentation.wazuh.com/current/user-manual/manager/manual-integration.html
- Please take a look at the Slack and/or Shuffle integration to receive alert notifications.
- Wazuh's custom integration capability: https://documentation.wazuh.com/current/user-manual/manager/manual-integration.html#custom-integration
- You can develop a script that sends the email notifications or communicates with your API.
- You may check this script for custom email notifications as an integration: https://github.com/jctello/JCT-Wazuh/blob/main/integrations/custom-email-alerts. It will probably need some customization on your part depending on what information you want to receive by email.
- You can configure the email alerts using only one email address and then automatically forward these alerts to the other email addresses.
- With Gmail, you can create a filter for the Wazuh alerts that forwards the message to the other addresses: https://support.google.com/mail/answer/6579?sjid=2984082458683992271-SA
Hopefully, one of these options may suit your configuration using Gmail.
Please let me know if you have any other questions.
Best regards,
Diego
Rimon Ahammed Bappy (Security Engineer L2)
Nov 23, 2023, 4:51:54 AM11/23/23
to Diego Mendez Sakugawa, Wazuh | Mailing List
Hello Diego,
Thanks for the help.
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/hX7ZCRc5s0s/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/19ae353b-b7fb-4461-ab0f-ce8bae58ee56n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages