Thank you both for your feedback.
Yes, the telnet was from the same server.
I have followed the wiki to setup granular alert notification but it
looks like it is buggy.
http://www.ossec.net/wiki/index.php/Know_How:GranularEmail
This config does _not_ work: (Used in the initial post I did.)
<ossec_config>
<global>
<email_notification>yes</email_notification>
<smtp_server>dns name of server</smtp_server>
<email_from>[email protected]</email_from>
<stats>4</stats>
<white_list>dns name of mail server</white_list>
<level>5</level>
</global>
<email_alerts>
<email_to>my email address</email_to>
<level>5</level>
<do_not_delay />
</email_alerts>
However, when I change the config to the following, I'm receiving
emails.
<ossec_config>
<global>
<email_notification>yes</email_notification>
<smtp_server>dns name of server</smtp_server>
<email_from>[email protected]</email_from>
<stats>4</stats>
<white_list>dns name of mail server</white_list>
<email_to>My email address</email_to>
<level>5</level>
</global>
I.e. Standard email setup in the global section works, but not using
granular configuration with <email_alerts>.
Any ideas?
Cheers
Martin
On Jan 7, 11:09 am, "McClinton, Rick" <[email protected]>
wrote:
> Your telnet test is from the same server as ossec, right? Sorry, just
> checking.
>
> I'm reading src/os_mail/sendmail.c from 081212 snapshot; it's looking to find
> '250' in the line that came back, which it certainly seems it should have.
>
> If it helps, there is a debug flag in this file; you can change sendmail.c to
> define MAIL_DEBUG_FLAG as 1 and then you'll get some more feedback from ossec.
>
> Rick McClinton
>
> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On
> Behalf Of Martin
> Sent: Monday, January 05, 2009 8:59 PM
> To: ossec-list
> Subject: [ossec-list] Unable to send email to remote exchange server.
>
> Importance: Low
>
> Until now, I've used the local sendmail server for sending email.
> Sending via a local mail server works fine. For various reasons, I now
> have to start sending the emails directly to our exchange server.
> However, as soon as I change the ip address from localhost to the IP
> address of the mail server, I start getting errors in the ossec.log
> file and no emails are received. The error I'm getting is "ossec-maild
> (1223): ERROR: Error Sending email to n.n.n.n (smtp server)".
> I've done some tcpdump of the traffic and I can capture the following
> data;
> 220 hostname Microsoft ESMTP MAIL Service ready at Tue, 6 Jan 2009
> 11:24:01 +1300
> Helo notify.ossec.net
> 250 hostname Hello [n.n.n.n]
> Mail From: <os...@syslog>
> 250 2.1.0 [email protected] OK
>
> The message "250 2.1.0 [email protected] OK" is from the excange
> server. The next thing I would expect is for my ossec server to send
> the Rcpt To command with my email address however the very next
> package the ossec server sends is a [Fin,Ack] to the exchange server.
>
> If I telnet to the mail server manually on port 25 I can send email
> just fine.
> # telnet n.n.n.n 25
> Trying n.n.n.n...
> Connected to n.n.n.n.
> Escape character is '^]'.
> 220 hostname Microsoft ESMTP MAIL Service ready at Tue, 6 Jan 2009
> 14:50:51 +1300
> Helo notify.ossec.net
> 250 hostname [n.n.n.n]
> Mail From: <os...@syslog>
> 250 2.1.0 [email protected] OK
> Rcpt To:<m...@emailaddress>
> 250 2.1.5 m...@emailaddress
> data
> 354 Start mail input; end with <CRLF>.<CRLF>
> Subject: test
> .
> 250 2.6.0 <i...@hostname> Queued mail for delivery
> quit
> 221 2.0.0 hostname Service closing transmission channel
> Connection closed by foreign host.
>
> Does anyone have any idea why ossec may be shutting down the
> connection in the middle of the email delivery? Is anyone else able to
> send direclty to an exchange server?
>
> Cheers
> /Martin
>
> This message contains TMA Resources confidential information and is intended
> only for the individual named. If you are not the named addressee you should
> not disseminate, distribute or copy this e-mail. Please notify the sender
> immediately by e-mail if you have received this e-mail by mistake and delete
> this e-mail from your system. E-mail transmission cannot be guaranteed to be
> secure or error-free as information could be intercepted, corrupted, lost,
> destroyed, arrive late or incomplete, or contain viruses. The sender
> therefore does not accept liability for any errors or omissions in the
> contents of this message which arise as a result of e-mail transmission. If
> verification is required please request a hard-copy version.
