Linode Forum
Linode Community Forums
 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic
Author Message
PostPosted: Mon Jan 11, 2016 1:00 am 
Offline
Senior Newbie

Joined: Tue Mar 03, 2015 8:19 pm
Posts: 14
Hi, I'm having an issue with OSSEC not always sending alert emails. I checked the log and I'm getting two error messages:

os_sendmail(1767): WARN: End of DATA not accepted by server

ossec-maild(1223): ERROR: Error Sending email to 74.125.141.27 (smtp server)

I've done some research, but not sure how to fix the issue.


Last edited by jgallaher on Mon Jan 18, 2016 7:02 pm, edited 1 time in total.

Top
   
PostPosted: Mon Jan 11, 2016 1:31 am 
Offline
Senior Member
User avatar

Joined: Sun Jan 18, 2009 1:41 pm
Posts: 955
There's a good chance that Gmail is rejecting the message for some reason. If that's all the OSSEC log tells you, maybe there's a setting that will make it log more details?


Top
   
PostPosted: Mon Jan 11, 2016 1:34 am 
Offline
Senior Member

Joined: Mon Aug 29, 2011 2:34 am
Posts: 224
https://www.mail-archive.com/ossec-list ... 20922.html

I would do what they did and tcpdump the connection to see the error response. You'll probably get something similar to what they got. If so, I would set up a local send-only mailserver, make sure you've set your rDNS correctly, and set up SPF. (If you're feeling crazy, you could set up DKIM too, but that's a fair bit more work, and not absolutely necessary.) The following guide covers a basic send-only Exim setup which would work for this purpose:

https://www.linode.com/docs/email/exim/ ... e-pangolin

If you're using Debian instead of Ubuntu, ignore the step about editing /etc/apt/sources.list.


Top
   
PostPosted: Mon Jan 11, 2016 1:37 am 
Offline
Senior Member

Joined: Mon Jan 04, 2016 11:58 am
Posts: 50
I haven't tried it as I have had no need but this document covers gettin TLS to work so you cab auth to gmail servers. A second option would be to install Postfix and be a local relay.

http://cybersyndicates.com/2015/06/adva ... ith-ossec/


Top
   
PostPosted: Mon Jan 11, 2016 8:24 pm 
Offline
Senior Newbie

Joined: Tue Mar 03, 2015 8:19 pm
Posts: 14
@ Vance Yeah I believe it has to do with SMTP authentication. I went through ossec-list, but they just say do the tcp dump and check the archives.

So I went through Linode's document on setting up postfix for Gmail with my own domain, but I'm getting a "can't deliver mail" when doing the echo test. Link: https://www.linode.com/docs/email/postf ... tp-debian7
I tried the first two name servers just in case that was causing an issue, the email address is spelled right, and I setup an app specific password because I use two factor authentication.
The error in the email is: Note: I changed the domain name to example.
Final-Recipient: rfc822; emailjim@example.com
Action: failed
Status: 5.1.1
Diagnostic-Code: X-Postfix; unknown user: "emailjim"


Top
   
PostPosted: Sat Jan 16, 2016 4:12 pm 
Offline
Senior Member
User avatar

Joined: Sun Jan 18, 2009 1:41 pm
Posts: 955
It sounds like your smtpd_relay_restrictions or smtpd_recipient_restrictions is set incorrectly. What is the output of postconf -n?


Top
   
PostPosted: Sun Jan 17, 2016 1:06 am 
Offline
Senior Newbie

Joined: Tue Mar 03, 2015 8:19 pm
Posts: 14
Hi Vance,

Thanks for following up. I'm getting at least some level 2 emails, but certainly not all.

Output of postconf -n is the following: Note. I did change the actual host name to "name-of-host"

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
mydestination = gmail.com, name-of-host, localhost.localdomain, localhost
myhostname = gmail.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes


Top
   
PostPosted: Sun Jan 17, 2016 4:24 pm 
Offline
Senior Member
User avatar

Joined: Sun Jan 18, 2009 1:41 pm
Posts: 955
There are a few items of note. Your smtpd_relay_restrictions looks OK, but myhostname should be your actual hostname, not gmail.com. I wouldn't be surprised if Gmail is refusing messages because you are claiming to be gmail.com. Also, mydestination should not include gmail.com, as it is not a local delivery destination. You should also make sure that /etc/mailname contains your actual hostname, and not gmail.com.

Does your /etc/aliases contain an entry for emailjim? Have you run newaliases to generate the db file?


Top
   
PostPosted: Sun Jan 17, 2016 5:41 pm 
Offline
Senior Newbie

Joined: Tue Mar 03, 2015 8:19 pm
Posts: 14
Hi Vance,

I removed the gmail.com from the host name list, restarted postfixt, and then did a echo test email. The email went through right away! So then I setup OSSEC to send alerts to my main gmail account instead of the emaijim address. I restarted OSSEC, but I'm still getting error that it can't send the email. I made sure both to and from email addresses are the same and the smtp server is smtp.gmail.com


Top
   
PostPosted: Sun Jan 17, 2016 6:05 pm 
Offline
Senior Newbie

Joined: Tue Mar 03, 2015 8:19 pm
Posts: 14
Also aliases were set to root.


Top
   
PostPosted: Mon Jan 18, 2016 4:14 pm 
Offline
Senior Member
User avatar

Joined: Sun Jan 18, 2009 1:41 pm
Posts: 955
OSSEC (or whatever other applications you're using) should send mail via localhost, not smtp.gmail.com. Otherwise, you're just bypassing Postfix.

You can have emailjim aliased to root, but then root should be aliased to an address that Gmail can deliver to, e.g.
Code:
root: foo@example.com


Top
   
PostPosted: Mon Jan 18, 2016 7:02 pm 
Offline
Senior Newbie

Joined: Tue Mar 03, 2015 8:19 pm
Posts: 14
Ah...it's those little things that get me. Changing the email server to local host and then restarting it solved it! After I restarted OSSEC, I got the email warning that the application had been started and now the level 2 alert emails are coming in. I'll probably keep the gmail account anyway since that's my main account I use for mostly everything.

Huge thanks for taking the time to figure out the problem(s) and pointing out the mistakes! I owe you a beer (or more) for that. Between the Linode OSSEC guide, the postfix guide, and this thread, I'll have to compare things and make notes of the changes needed.


Top
   
PostPosted: Wed Nov 29, 2017 9:35 am 
Offline
Junior Member

Joined: Thu Nov 16, 2017 6:59 am
Posts: 48
Do note that using smtp auth via gmail to deliver automated mails is a terrible idea because the SMTP FE on gmail is throttled and can reject mail at any time.

_________________
- emestee,
Lord System Administrator


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
cron
RSS

Powered by phpBB® Forum Software © phpBB Group