0

I've been searching without a solid solution yet. I need to send OSSEC email alerts from my OSSEC server, but without hosting an SMTP server (postfix, etc). I get rejected by the Google SMTP servers (according to OSSEC errors/tcpdump). I'm not aware of a way to add SMTP login creds within the ossec.conf. Any ideas are greatly appreciated!

eod
  • 1
  • 1
  • Do you want to send alert to merely single email domain (or emails in single email domain)? You can configure OSSEC to do it without SMTP AUTH. – AnFi Dec 17 '15 at 06:23
  • Looking to send email to a single domain (and from the same domain even). Email is hosted on Google Apps. Any attempt to send the alerts from OSSEC using the Google SMTP servers (smtp-relay.gmail.com, smtp.gmail.com, aspmx.l.google.com) gets rejected due to the lack of auth. – eod Dec 17 '15 at 13:30

1 Answers1

0

[emails are sent to single email email domain - see comments ]

You may configure your OSSEC to send messages directly to servers accepting messages for the recipient's email domain. Use nslookup -type=mx the.domain or dig the.domain MX to get list of names to use.

https://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.global.html

AnFi
  • 5,883
  • 1
  • 12
  • 26
  • Thanks for following up. I've used the MX records for the domain (which are the Google SMTP servers). Any Google SMTP (or any other email service) gets rejected (tried using the same domain for to/from for alerts). OSSEC: ossec-maild(1223): ERROR: Error Sending email to 64.233.190.26 (smtp server) tcpdump: Google reject and includes this URL: https://support.google.com/mail/answer/81126?hl=en – eod Dec 17 '15 at 15:17
  • If your device or application does not support SSL - connect to aspmx.l.google.com on port 25. You must configure an SPF record for your domain with the IP address of the device or application to ensure that recipients do not reject mail sent from it. You must also add this IP address to the Email Whitelist box in your Google Admin console. For example, if your sending device sends from 123.45.67.89, add that address to your SPF record without removing the Google Apps mail servers from the record: v=spf1 ip4:123.45.67.89 include:_spf.google.com ~all – eod Dec 17 '15 at 16:17