Your telnet test is from the same server as ossec, right? Sorry, just checking.
I'm reading src/os_mail/sendmail.c from 081212 snapshot; it's looking to find '250' in the line that came back, which it certainly seems it should have. If it helps, there is a debug flag in this file; you can change sendmail.c to define MAIL_DEBUG_FLAG as 1 and then you'll get some more feedback from ossec. Rick McClinton -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Martin Sent: Monday, January 05, 2009 8:59 PM To: ossec-list Subject: [ossec-list] Unable to send email to remote exchange server. Importance: Low Until now, I've used the local sendmail server for sending email. Sending via a local mail server works fine. For various reasons, I now have to start sending the emails directly to our exchange server. However, as soon as I change the ip address from localhost to the IP address of the mail server, I start getting errors in the ossec.log file and no emails are received. The error I'm getting is "ossec-maild (1223): ERROR: Error Sending email to n.n.n.n (smtp server)". I've done some tcpdump of the traffic and I can capture the following data; 220 hostname Microsoft ESMTP MAIL Service ready at Tue, 6 Jan 2009 11:24:01 +1300 Helo notify.ossec.net 250 hostname Hello [n.n.n.n] Mail From: <os...@syslog> 250 2.1.0 [email protected] OK The message "250 2.1.0 [email protected] OK" is from the excange server. The next thing I would expect is for my ossec server to send the Rcpt To command with my email address however the very next package the ossec server sends is a [Fin,Ack] to the exchange server. If I telnet to the mail server manually on port 25 I can send email just fine. # telnet n.n.n.n 25 Trying n.n.n.n... Connected to n.n.n.n. Escape character is '^]'. 220 hostname Microsoft ESMTP MAIL Service ready at Tue, 6 Jan 2009 14:50:51 +1300 Helo notify.ossec.net 250 hostname [n.n.n.n] Mail From: <os...@syslog> 250 2.1.0 [email protected] OK Rcpt To:<m...@emailaddress> 250 2.1.5 m...@emailaddress data 354 Start mail input; end with <CRLF>.<CRLF> Subject: test . 250 2.6.0 <i...@hostname> Queued mail for delivery quit 221 2.0.0 hostname Service closing transmission channel Connection closed by foreign host. Does anyone have any idea why ossec may be shutting down the connection in the middle of the email delivery? Is anyone else able to send direclty to an exchange server? Cheers /Martin This message contains TMA Resources confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.
