Email Notification not working for AIDE, Samhain and OSSEC in Ubuntu
 

Greeting LQ, I have a problem with my Email Notification. I'm not being able to get any email notification.

#

#-------------------------------Samhain Mail-------------------------------------#

#

ERROR : [2011-12-29T22:49:44+0000] msg=<Bad response (530 5.7.0 Must issue a STARTTLS command first. g12sm20110313wiw.10), expected 250>, subroutine=<sh_mail_wait>, service=<mail>, host=<SMTP server>

ERROR : [2011-12-29T22:49:44+0000] msg=<MAIL FROM failed>, subroutine=<sh_mail_start_conn>, service=<mail>, host=<daemon@example.com>

ERROR : [2011-12-29T22:49:44+0000] msg=<Service failure>, service=<mail>, obj=<example@gmail.com>

#

#-------------------------------------------------------------------------------#

#

#
#--Samhain (Later I tried using my ISP SMTP and yet it didn't work--------------#
#

ERROR : [2011-12-30T11:00:47+0000] msg=<Connection refused, address smtp.virginmedia.com>, subroutine=<connect>, service=<email>, host=<smtp.virginmedia.com>
ERROR : [2011-12-30T11:00:47+0000] msg=<Cannot remove stale lock file, PID may be a running process>, subroutine=<sh_unix_test_and_lock>
ERROR : [2011-12-30T11:00:47+0000] msg=<Service failure>, service=<mail>, obj=<xxxxxxx@yahoo.com>
#
#-------------------------------------------------------------------------------#
#




#

#-----------------------------OSSEC Mail Problem-------------------------------#

#

2011/12/26 22:32:43 os_sendmail(1764): WARN: Mail from not accepted by server

2011/12/26 22:32:43 ossec-maild(1223): ERROR: Error Sending email to 76.x.x.x (

smtp server)

#

#-------------------------------------------------------------------------------#

#







I get some kind of error.

In my configuration file /etc/samhainrc I changed following things.



MailSeverity=warn

SetMailAddress=xxxxxxx@gmail.com

SetMailRelay = smtp.gmail.com or kept IP address and instead of Notification I get this error shown below.



ERROR : [2011-12-29T22:49:44+0000] msg=<Bad response (530 5.7.0 Must issue a STARTTLS command first. g12sm20110313wiw.10), expected 250>, subroutine=<sh_mail_wait>, service=<mail>, host=<SMTP server>



ERROR : [2011-12-29T22:49:44+0000] msg=<MAIL FROM failed>, subroutine=<sh_mail_start_conn>, service=<mail>, host=<daemon@example.com>



ERROR : [2011-12-29T22:49:44+0000] msg=<Service failure>, service=<mail>, obj=<xxxxxxx@gmail.com>





I really need help with this. I would really appreciate it.


I didn't get AIDEs ERROR mesg but I'm sure if I can figure out on of them then that would be my solution to all these three Host-based Intrusion Detection System.

Not sure if this will help but for Gmail you need to specify gmail-smtp-in.l.google.com rather than smtp.gmail.com

Thanks though it didn't work.

Check if you can send email from the commandline.

I'm not so sure about the option within /etc/samhainrc
a Relay normaly just takes mails and then tries to send them. And normaly it only allows this to happen from certain servers...
What happens if comment it out? What was the original value?

530 error talking to gmail
 

metalaarif,
An SMTP code 530 means you have to communicate with the foreign SMTP peer using SSL/TLS. See this link to find SMTP commands, reply codes, and the RFCs governing SMTP generally. You will need to configure the local MTA to conduct the SMTP dialog with GMail over SSL. If you ask a separate question about SMTP over SSL and post your MTA's configuration, someone will be able to help you with your problem.

Thanks zhjim but it didn't seem to work but learned something new and I even tried what you recommended but it didn't seem to work.

And your right agentbuzz it was interesting reading those SMTP commands. And I agree that local MTA or mail server does the work of sending mails but the thing I don't understand is why isn't it connected with anything like that. I read the documentation and even in configuration files there's nothing mentioned about configuring MTA or mail server. Why does each HIDS configuration file contains MAIL configuration part.
This is Samhain Configuration

Samhain, MTA config
 

metalaarif,

I missed that item in your Samhain config earlier. Set "SetMailRelay" to the local mail server. In your case, perhaps that is the same server on which you are running Samhain. Otherwise, it could be an MTA on your LAN that can relay outbound mail. There should be some mail server on your network that can create SMTP connections to Internet hosts. If there is such a local mail server, change your config to point to it and your problem is solved. If not, we will need to see some local SMTP server's config, whether that is sendmail, postfix, qmail, or exim, so that we can show you how to authenticate with the GMail server over TLS.

Hmm, that sounds great, I'll start doing that right away.
Actually I'm doing this test on my Virtual Machine Vmware.
I think I'll try to create a local mail server and point it towards it so that i receive mail on my localhost itself and if I succeed and later on try i'll try to redirect it to gmail or yahoomail server as u have mentioned. I think it should work as you said "agentbuzz".
By the way I don't want to close this thread yet, I want to try it myself once and then if I succeed I'll mark it as solved.

Moved: This thread is more suitable in the Linux General forum (as it is not a Linux Security issue) and has been moved accordingly to help your thread/question get the exposure it deserves.

I have configured Postfix mailServer and I even configured GmailPostfixFetchmail.
Now when I try I receive email in my gmail account

In my Postfix
myhostname = localhost
relayhost = [smtp.gmail.com]:587

When I changed my /etc/samhianrc to
SetMailAddress=xxxxxx@gmail.com
SetMailRelay= smtp.gmail.com

I got this error when I ran # samhain -t check -p warn --foreground
then I again changed my /etc/samhianrc to
SetMailAddress=xxxxxx@localhost.com
SetMailRelay= 127.0.0.0

I got this error when I ran # samhain -t check -p warn --foreground
then I again changed my /etc/samhianrc to
SetMailAddress=xxxxxx@localhost
SetMailRelay= localhost

I got this error when I ran # samhain -t check -p warn --foreground
I got 550 error and 550 error means I'm so confused now anyway do u think that i need to create a mailbox for postfix (mbox which is postfix defaul mailbox)

That means the local mail server is working. So we have to care about samhain. (As you already did)

Use your local mail server as the relay. (As you also did)
Just a typo the localhosts address is 127.0.0.1.
To me it looks like the user your sending the email from is not allowed inside your local mail server. Do you use anothrer user to send samhain mails? What happens if you run the echo 'test mail' | mail -s "test mail" as the user that you run samhain as?

Thanks zhjim your great but actually I would have done it myself too but i got frustrate and didn't think of putting 127.0.0.1
It works.

Take a look, this is how I configured to make it running
http://www.linuxquestions.org/questi...e-ossec-34342/

Just answering forum threads ;) Great you got it figured.

Also don't forget to mark the thread as solved. Use the thread tools button on the start of the thread.

Of course this can't work. You are asking your local MTA to deliver the email to the local mailbox xxxxxx, which presumably doesn't exist. What you want is to send mail to xxxxxx@gmail.com and relay it through your own MTA, so the correct version is:

SetMailAddress=xxxxxx@gmail.com
SetMailRelay= localhost

Thanks .rainer that worked too