OSSEC can't send email, but POSTFIX and Mailx work fine
Really can't figure out why OSSEC can't send emails. POSTFIX works fine.
Looking at the ossec.log file I see:
os_sendmail(1764): WARN: Mail from not accepted by server
ossec-maild(1223): ERROR: Error Sending email to 127.0.0.1 (smtp server)
When I look at the mail.log, I see the error:
postfix/smtpd[41942]: connect from localhost.localdomain[127.0.0.1]
postfix/smtpd[41942]: lost connection after HELO from localhost.localdomain[127.0.0.1]
postfix/smtpd[41942]: disconnect from localhost.localdomain[127.0.0.1] helo=1 mail=0/1 commands=1/2
If it's an issue with my postfix setup, I really don't know where it's from. Heres my postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 2
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
mydestination = 127.0.0.1 localhost
myhostname = *QFDN*
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 localhost.localdomain
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_security_level = encrypt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level = encrypt
And for good measure, here's my ossec.conf
<global>
<email_notification>yes</email_notification>
<email_to>superadmin@willowdalechurch.ca</email_to\>
<smtp_server>127.0.0.1</smtp_server>
<email_from>superadmin@willowdalechurch.ca</email_from>
<email_maxperhour>5</email_maxperhour>
</global>
I thought it may have something to do with ufw (you know try everything), but disabling it didn't work. If anyone has a solution , it would be greatly appreciated.
5 Replies
This is just a wild guess here but, IMHO, I think your problem is that you are trying to use localhost instead of
relayhost = [smtp.gmail.com]:587
to submit mail from OSSEC. What I would try next is to configure OSSEC so that it uses smtp.gmail.com and port 587 as the place for it to submit mail.
I understand why you want to do what you did but, to postfix(1), this is a violation of the rules. If you want postfix(1) to accept submissions from localhost, you need to change your relayhost to something like this:
relayhost = [smtp.gmail.com]:587 $mynetworks
YMMV.
Frankly, I'd just configure OSSEC to do the right thing™ so that postfix(1) only has one way to accept mail.
-- sw
P.S., I'd suggest configuring mynetworks this way as well:
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 localhost.localdomain localhost
(just to be safe).
Thanks a lot @stevewi
My understanding is that I have to use localhost in OSSEC to go through Postfix. Otherwise, it bypasses it and tries to connect to the smtp server and it just won't work with Gmail.
I tried
relayhost = [smtp.gmail.com]:587 $mynetworks
But Postfix throws an error saying I cannot have multiple relays
And I tried
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 localhost.localdomain localhost
But it didn't work.
What I don't get is why postfix loses the connection after HELO
You write:
And I tried
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 localhost.localdomain localhostBut it didn't work.
Adding localhost to mynetworks was never going to solve your problem. I suggested it as a completeness thing.
You also write:
I tried
relayhost = [smtp.gmail.com]:587 $mynetworksBut Postfix throws an error saying I cannot have multiple relays
OK, fair enough…my bad. I thought I had seen an example of this… Put put it back the way it was:
relayhost = [smtp.gmail.com]:587
The only thing I can figure out is that OSSEC is trying to submit mail on port 25. It shouldn't be. Port 25 is for MTA-MTA transfer of mail. Mail should be submitted on port 587.
Can you try changing your OSSEC configuration to this:
...
<email_to>superadmin</email_to\>
<smtp_server>localhost</smtp_server>
<email_from>superadmin@willowdalechurch.ca</email_from>
...
and see if you can configure OSSEC to use port 587?
Also, you might add these to your postfix(1) /etc/postfix/main.cf file to allow addresses in mynetworks to send/receive mail (don't forget to reload/restart postfix after you're done):
# SMTPD Client restrictions (restrict who can connect to me)
#
smtpd_client_restrictions =
permit_sasl_authenticated,
permit_mynetworks
# SMTPD helo restrictions (restrict who can talk to me)
#
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_sasl_authenticated,
permit_mynetworks
# SMTPD recipient restrictions (restricts who I will actually receive mail from)
#
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination
# reject senders who haven't logged in first
#
smtpd_sender_restrictions =
permit_sasl_authenticated,
permit_mynetworks
# reject clients that speak to early
#
smtpd_data_restrictions = reject_unauth_pipelining
You can read what all these things do at
http://www.postfix.org/postconf.5.html
After this, I'm tapped out of ideas. I'm hoping that making OSSEC use the right port to submit mail will fix your problem.
It's really hard to diagnose problems like this using bboard posts ;-)
-- sw
@stevewi I am extremely grateful for your help. This is truly a pain in the neck to troubleshoot and your ideas were very helpful, so I really can't thank you enough.
I finally found the solution: I had to switch the value of
smtp_tls_security_level=in/etc/postfix/main.cffromencrypttomay.Here's the long story in case it helps someone in my case because I really didn't find anything similar on the web
As mentioned already mail.log was throwing an error, which told me that it was receiving the request from OSSEC, but something was wrong.
3.1 I changed /etc/postfix/master.cf to get more info from mail.log by adding -v at the end of the code below
smtp inet n - y - - smtpd -v
3.2 After doing that, I got additional info including
postfix/smtpd[61556]: > localhost[::1]: 530 5.7.0 Must issue a STARTTLS command first
So after many hours of reading and trial and error, I figured that changing the value of smtp_tls_security_level= finally gave me different results and changing it to may made everything right as rain.
Note: The reason I had originally changed the setting from may (the default) to encrypt is because it's the recommended setting in one of the Linode guide when using Postfix with Gmail. However, I found that sticking to may works just as well and doesn't conflict with OSSEC.
Again, thanks to @stevewi. I really appreciated your help and support.
De nada! I probably would have stumbled on your solution eventually but it woulda taken me a couple of days… I'm glad I was able to help.
postfix(1) is a sometimes weird but always wonderful beast. Unfortunately, all the published books about postfix(1) are way out of date so I wouldn't recommend any of those. Your best bet is just to stick with the docs and try & muddle your way through. Fortunately, the docs are complete, well-written (but not for beginners) and clear.
Having spent most of my career with sendmail(1) and trying to figure out configuration horses%@t like this:
# make sure <@a,@b,@c:user@d> syntax is easy to parse -- undone later
R@$+,$+:$+ @$1:$2:$3 change all "," to ":"
R@$+:$+ $@$>6<@$1>:$2 src route canonical
R$+:$*;@$+ $@$1:$2;@$3 list syntax
R$+@$+ $:$1<@$2> focus on domain
R$+<$+@$+> $1$2<@$3> move gaze right
R$+<@$+> $@$>6$1<@$2> already canonical
one can appreciate how much of an advance postfix(1) really is!
-- sw