Not sure if this is your case or not, but I will explain what happened to me:
During the installation of ossec it found my mx record which is mail.somedomain.com. I choose "yes" when it asked me if that is the mail server to send mail to. In reality what was happing is that ossec was sending mail out of my network and trying to route it back in instead of just sending it to my internal mail server. So in my /var/ossec/etc/ossec.conf file I changed <smtp_server>mail.somedomain.com</smtp_server> to <smtp_server>xxx.xxx.xxx.xxx</smtp_server> (x's being the internal ip address of my mail server) and restarted ossec. I am thinking that you just need to point it to your internal mail server address so that it won't send email through your firewall. Hope this helps -------------------------------------------------------------------------- Jeremy Wilson Network Supervisor DuPont Community Credit Union Tel: 540.946.3200 x3103 Fax: 540.946.3212 http://www.mydccu.com/ Personal Information: DCCU will never send unsolicited e-mails asking for your personal or account information such as account numbers, passwords, social security numbers, PINs, credit or debit card numbers, or other confidential information. Visit http://www.mydccu.com/asp/services/service_6.asp to learn more about fraud and protecting your accounts. Confidentiality Note: This e-mail message is intended solely for the individual or individuals named above. This e-mail and any attachments are confidential. If the reader of this message is not the intended recipient, you are requested not to read, copy or distribute it or any of the information it contains. Please delete it immediately and notify us by return e-mail or by telephone at (540)946-3200 From: [email protected] [mailto:[email protected]] On Behalf Of Erik Sent: Tuesday, April 05, 2011 1:39 PM To: [email protected] Subject: [ossec-list] ossec mail notifications Hi, My ossec.log tells me this all the time 2011/04/05 12:23:23 ossec-maild(1223): ERROR: Error Sending email to xxx.xx.xxx.xx (smtp server) I found out this is being caused by my firewall that's blocking ossec but how do i tell my firewall to allow those mails? my firewall is csf i can't just whitelist an ip address... Erik
