Martin wrote:
: Until now, I've used the local sendmail server for sending email.
: Sending via a local mail server works fine. For various reasons, I now
: have to start sending the emails directly to our exchange server.
: However, as soon as I change the ip address from localhost to the IP
: address of the mail server, I start getting errors in the ossec.log
: file and no emails are received. The error I'm getting is "ossec-maild
: (1223): ERROR: Error Sending email to n.n.n.n (smtp server)".
: I've done some tcpdump of the traffic and I can capture the following
: data;
: 220 hostname Microsoft ESMTP MAIL Service ready at Tue, 6 Jan 2009
: 11:24:01 +1300
: Helo notify.ossec.net
: 250 hostname Hello [n.n.n.n]
: Mail From: <os...@syslog>
: 250 2.1.0 [email protected] OK
:
: The message "250 2.1.0 [email protected] OK" is from the excange
: server. The next thing I would expect is for my ossec server to send
: the Rcpt To command with my email address however the very next
: package the ossec server sends is a [Fin,Ack] to the exchange server.
:
: If I telnet to the mail server manually on port 25 I can send email
: just fine.
: # telnet n.n.n.n 25
: Trying n.n.n.n...
: Connected to n.n.n.n.
: Escape character is '^]'.
: 220 hostname Microsoft ESMTP MAIL Service ready at Tue, 6 Jan 2009
: 14:50:51 +1300
: Helo notify.ossec.net
: 250 hostname [n.n.n.n]
: Mail From: <os...@syslog>
: 250 2.1.0 [email protected] OK
: Rcpt To:<m...@emailaddress>
: 250 2.1.5 m...@emailaddress
: data
: 354 Start mail input; end with <CRLF>.<CRLF>
: Subject: test
: .
: 250 2.6.0 <i...@hostname> Queued mail for delivery
: quit
: 221 2.0.0 hostname Service closing transmission channel
: Connection closed by foreign host.
:
: Does anyone have any idea why ossec may be shutting down the
: connection in the middle of the email delivery? Is anyone else able to
: send direclty to an exchange server?
I've been sending everything to our local Exchange server here for almost a
year now. Here's the relevant portion of my ossec.conf file:
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>[email protected]</email_to>
<smtp_server>smtp.mydomain.com</smtp_server>
<email_from>[email protected]</email_from>
<stats>0</stats>
<email_maxperhour>500</email_maxperhour>
</global>
This message may contain confidential or proprietary information and is
intended solely for the individual(s) to whom it is addressed. If you are not
a named addressee you should not disseminate, distribute or copy this e-mail or
act upon the information contained herein. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and delete
this e-mail from your system.
