Multiple repetition of same address in mail alert

[Daniel D'Angeli]

HI,

Wazuh Docker 4.3.4 (experienced in 4.2.0 as well)

i noticed that Wazuh repeats every address but the first of the TO field in the CCN field when sending a mail alert. I looked at the ossec.conf and i didnt put aything more than the addresses in the email_to parameters.

Like here:

As you can see "Me" and "a" is repetead in both To and CCN fields.

Is it a bug?

Regards,

Daniel D.

[elw...@wazuh.com]

Hello Daniel,

I have just performed a quick test and there is no repetition for the email as you can see below:


It would be helpful if you can share your `ossec.conf` file to test with the same configuration as yours.

Regards,
Wali

[Daniel D'Angeli]

Hi,

i've attached the config of both the Master and Worker nodes.

Regards,

Daniel D.

[elw...@wazuh.com]

Hello Daniel,

I have just added explicitly duplicated emails in the email_to in vain. I am not able to replicate the same behavior, note that it could be related to the SMTP used in your case:




You should probably review the SMTP logs or configuration.

Regards,
Wali

[Daniel D'Angeli]

Hi,

i sent a test mail from the Postfix container and it sends out correctly without putting me in both TO and CCN.

From the logs of the container nothing seems to be wrong. I'll attach it here to have a look:

Jun 30 08:09:19 wazuh-smtp smtpd[521]: connect from wazuh.master
Jun 30 08:09:20 wazuh-smtp smtpd[521]: 03176186CC0CB: client=wazuh.master
Jun 30 08:09:20 wazuh-smtp cleanup[524]: 03176186CC0CB: warning: header Subject: Wazuh notification - (OMISSIS) any - Alert level 11 from wazuh.master[OMISSIS]; from=<OMISSIS> to=<OMISSIS> proto=SMTP helo=<notify.ossec.net>
Jun 30 08:09:20 wazuh-smtp cleanup[524]: 03176186CC0CB: message-id=<>
Jun 30 08:09:20 wazuh-smtp qmgr[96]: 03176186CC0CB: from=<OMISSIS>, size=812, nrcpt=3 (queue active)
Jun 30 08:09:20 wazuh-smtp smtpd[521]: disconnect from wazuh.master
Jun 30 08:09:22 wazuh-smtp smtp[525]: 03176186CC0CB: to=<OMISSIS>, relay=smtp.gmail.com[172.253.120.108]:587, delay=2.3, delays=0.09/0.08/0.63/1.5, dsn=2.0.0, status=sent (250 2.0.0 OK  1656569362 p28-20020a1c545c000000b003a02de5de80sm1445702wmi.4 - gsmtp)
Jun 30 08:09:22 wazuh-smtp smtp[525]: 03176186CC0CB: to=<OMISSIS>, relay=smtp.gmail.com[172.253.120.108]:587, delay=2.3, delays=0.09/0.08/0.63/1.5, dsn=2.0.0, status=sent (250 2.0.0 OK  1656569362 p28-20020a1c545c000000b003a02de5de80sm1445702wmi.4 - gsmtp)
Jun 30 08:09:22 wazuh-smtp smtp[525]: 03176186CC0CB: to=<OMISSIS>, relay=smtp.gmail.com[172.253.120.108]:587, delay=2.3, delays=0.09/0.08/0.63/1.5, dsn=2.0.0, status=sent (250 2.0.0 OK  1656569362 p28-20020a1c545c000000b003a02de5de80sm1445702wmi.4 - gsmtp)
Jun 30 08:09:22 wazuh-smtp qmgr[96]: 03176186CC0CB: removed

Regards,

Daniel D.

[elw...@wazuh.com]

Hello Daniel,

I was trying to reproduce it in vain so far. It would be great if you can share the docker-compose.yml file you use and if you have any special postfix configuration /etc/postfix/main.cf.

Regards,
Wali

[Daniel D'Angeli]

Hi,

i have attached the main.cf configuration here. The compose im using is the following:

  postfix:
    image: eeacms/postfix:2.10-3.8
    hostname: wazuh-smtp
    restart: unless-stopped
    environment:
      - TZ=Europe/Rome
      - MTP_RELAY=smtp.gmail.com
      - MTP_PORT=587
      - MTP_USER=OMISSIS
      - MTP_PASS=OMISSIS

Regards,

Daniel D.

[elw...@wazuh.com]

Hello Daniel,

Unfortunately, I am still not able to reproduce the behavior you are experiencing. We might enable verbose debug logs for Postfix http://www.postfix.org/DEBUG_README.html and check the Wazuh logs `/var/ossec/logs/ossec.log` as well.

I will keep trying on my end as well.

Regards,
Wali

[Daniel D'Angeli]

OT but still postfix related.

After migrating to Wazuh 4.3.5 on Docker (before 4.2.0 on Docker) we are receiving these alerts from Gmail regarding their intent to block the sending of mails due to the message not being compliant to the RFC 5322.

This is the error we receive:

Any tips on fixing this?

Regards,

Daniel D.

[elw...@wazuh.com]

Hello Daniel,

I have searched about this might be related to recent changes in the security standers of GMAIL as it is considering Postfix a non-secure application (https://support.google.com/accounts/answer/6010255#zippy=)

You can switch to using the outlook SMTP server instead and test if it works as expected, full details for that https://medium.com/@karkoubelwali/configure-emails-in-wazuh-docker-docker-compose-outlook-smtp-f2219ed9d62e.

Hope this helps.

Regards,
Wali

[Daniel D'Angeli]

Hi,

i have enabled the 2FA on the account and generated a password app according to the new standards by Google, but im still having this problem.

550 5.7.1 [209.85.220.41] Our system has detected that this message is not RFC 5322 compliant: duplicate headers. To reduce the amount of spam sent to Gmail, this message has been blocked. Please review RFC 5322 specifications for more information. jr5-20020a170906a98500b0072b6bb5a69bsor523131ejb.63 - gsmtp

From the duplicate headers, i can assume that the problem is related to Wazuh putting the same addresses in both To and BCC. I thought it was a Postfix problem, but i changed image and created a secondary container and i still faced the issue.

Is there a configuration to check other than the ossec.conf to see how Wazuh sends emails and a tool to test the process?

Regards,

Daniel D.

[My Wazuh]

When testing and sending alerts FROM a GMAIL address to a domain HOSTED on Google where an  an alert has multiple recipients, I am reliably seeing Duplicate TO lines in the header (Choose SHOW ORIGINAL from the Gmail message). It looks like Wazuh has had duplicate TO lines in the header for quite some time; but it has recently become an issue for Google. I checked and saw duplicate TO lines in emails from an OLD version 3.X of Wazuh a couple of years ago, but NOT from an old version of OSSEC. 

When sending from a Google account to a Google account (or a Google Workspaces hosted account), I am able to see the SENT message, and the BOUNCE message. I DO see multiple TO lines in the header of the SENT message. 

To: <recipient at  #domainhostedbyGoogle.com#>
From: Wazuh <sender at  gmail.com>
To: <secondrecipient at  gmail.com>
Date: Thu, 08 Dec 2022 13:38:13 -0500
Subject: Wazuh notification - (AGENT) Y.Y.Y.Y ->EventChannel - Alert level WW

and I see the related bounce message that hits the inbox of the sending account:

550 5.7.1 [x.x.x.x] This message is not RFC 5322 compliant, the issue is: duplicate To headers. To reduce the amount of spam sent to Gmail, this message has been blocked. Please review RFC 5322 specifications for more information.  - gsmtp

This behavior is new for Google. Prior to September, It doesn't look like Google was strictly rejecting for RFC 5522 compliance regarding the TO address.

Does this match your environment / tests as well?

[elw...@wazuh.com]

Hello,

Thanks for the provided information. It would be great if you can open an issue to our repo here https://github.com/wazuh/wazuh/issues to investigate and consider the issue.

Regards,
Wali