Solved! OSSEC error with sending mail to gmail account

There's a good chance that Gmail is rejecting the message for some reason. If that's all the OSSEC log tells you, maybe there's a setting that will make it log more details?

~~[https://www.mail-archive.com/ossec-list@googlegroups.com/msg20922.html" target="_blank">](https://www.mail-archive.com/ossec-list … 20922.html">https://www.mail-archive.com/ossec-list@googlegroups.com/msg20922.html](

I would do what they did and tcpdump the connection to see the error response. You'll probably get something similar to what they got. If so, I would set up a local send-only mailserver, make sure you've set your rDNS correctly, and set up SPF. (If you're feeling crazy, you could set up DKIM too, but that's a fair bit more work, and not absolutely necessary.) The following guide covers a basic send-only Exim setup which would work for this purpose:

~~[https://www.linode.com/docs/email/exim/sendonly-mail-server-with-exim-on-ubuntu-12-04-lts-precise-pangolin" target="_blank">](https://www.linode.com/docs/email/exim/ … e-pangolin">https://www.linode.com/docs/email/exim/sendonly-mail-server-with-exim-on-ubuntu-12-04-lts-precise-pangolin](

If you're using Debian instead of Ubuntu, ignore the step about editing /etc/apt/sources.list.

I haven't tried it as I have had no need but this document covers gettin TLS to work so you cab auth to gmail servers. A second option would be to install Postfix and be a local relay.

http://cybersyndicates.com/2015/06/adva … ith-ossec/">http://cybersyndicates.com/2015/06/advance-active-monitoring-with-ossec/

@ Vance Yeah I believe it has to do with SMTP authentication. I went through ossec-list, but they just say do the tcp dump and check the archives.

So I went through Linode's document on setting up postfix for Gmail with my own domain, but I'm getting a "can't deliver mail" when doing the echo test. Link: https://www.linode.com/docs/email/postf … tp-debian7">https://www.linode.com/docs/email/postfix/postfix-smtp-debian7

I tried the first two name servers just in case that was causing an issue, the email address is spelled right, and I setup an app specific password because I use two factor authentication.

The error in the email is: Note: I changed the domain name to example.

Final-Recipient: rfc822; emailjim@example.com

Action: failed

Status: 5.1.1

Diagnostic-Code: X-Postfix; unknown user: "emailjim"

It sounds like your smtpdrelayrestrictions or smtpdrecipientrestrictions is set incorrectly. What is the output of postconf -n?

Hi Vance,

Thanks for following up. I'm getting at least some level 2 emails, but certainly not all.

Output of postconf -n is the following: Note. I did change the actual host name to "name-of-host"

alias_database = hash:/etc/aliases

alias_maps = hash:/etc/aliases

appenddotmydomain = no

biff = no

config_directory = /etc/postfix

inet_interfaces = all

mailbox_command = procmail -a "$EXTENSION"

mailboxsizelimit = 0

mydestination = gmail.com, name-of-host, localhost.localdomain, localhost

myhostname = gmail.com

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

myorigin = /etc/mailname

readme_directory = no

recipient_delimiter = +

relayhost = [smtp.gmail.com]:587

smtpsaslauth_enable = yes

smtpsaslpasswordmaps = hash:/etc/postfix/saslpasswd

smtpsaslsecurity_options = noanonymous

smtptlsCAfile = /etc/ssl/certs/ca-certificates.crt

smtptlssessioncachedatabase = btree:${datadirectory}/smtpscache

smtpusetls = yes

smtpdbanner = $myhostname ESMTP $mailname (Debian/GNU)

smtpdrelayrestrictions = permitmynetworks permitsaslauthenticated deferunauth_destination

smtpdtlscert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem

smtpdtlskey_file = /etc/ssl/private/ssl-cert-snakeoil.key

smtpdtlssessioncachedatabase = btree:${datadirectory}/smtpdscache

smtpdusetls = yes

There are a few items of note. Your smtpdrelayrestrictions looks OK, but myhostname should be your actual hostname, not gmail.com. I wouldn't be surprised if Gmail is refusing messages because you are claiming to be gmail.com. Also, mydestination should not include gmail.com, as it is not a local delivery destination. You should also make sure that /etc/mailname contains your actual hostname, and not gmail.com.

Does your /etc/aliases contain an entry for emailjim? Have you run newaliases to generate the db file?

Hi Vance,

I removed the gmail.com from the host name list, restarted postfixt, and then did a echo test email. The email went through right away! So then I setup OSSEC to send alerts to my main gmail account instead of the emaijim address. I restarted OSSEC, but I'm still getting error that it can't send the email. I made sure both to and from email addresses are the same and the smtp server is smtp.gmail.com

Also aliases were set to root.

OSSEC (or whatever other applications you're using) should send mail via localhost, not smtp.gmail.com. Otherwise, you're just bypassing Postfix.

You can have emailjim aliased to root, but then root should be aliased to an address that Gmail can deliver to, e.g.

root: foo@example.com

Ah…it's those little things that get me. Changing the email server to local host and then restarting it solved it! After I restarted OSSEC, I got the email warning that the application had been started and now the level 2 alert emails are coming in. I'll probably keep the gmail account anyway since that's my main account I use for mostly everything.

Huge thanks for taking the time to figure out the problem(s) and pointing out the mistakes! I owe you a beer (or more) for that. Between the Linode OSSEC guide, the postfix guide, and this thread, I'll have to compare things and make notes of the changes needed.

Do note that using smtp auth via gmail to deliver automated mails is a terrible idea because the SMTP FE on gmail is throttled and can reject mail at any time.