topic Re: Non-admin user with list_settings capability failed to send alert email when mail sever use SMTP auth. in Splunk Search

Non-admin user with list_settings capability failed to send alert email when mail sever use SMTP auth.

daniel_splunk — Fri, 18 Jan 2019 07:53:53 GMT

Have defined a new non-admin user and already add list_settings capability as instructed by the Splunk document here.

https://docs.splunk.com/Documentation/Splunk/7.2.3/Alert/Emailnotification

But still failed to send alert when mail server is using SMTL auth.

Here is the python.log

2018-09-17 15:21:51,268 +0800 DEBUG ssl_context:444 - createSSLContext sslVersions [16] commonNameList [None] altNameList [None] validatePeerCert [0] rootCAPath [None] isClientContext [True] cipherSuite [ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256]
2018-09-17 15:21:51,295 +0800 ERROR sendemail:137 - Sending email. subject="Splunk testing", results_link="None", recipients="[u'user1@abc.com.hk']", server="172.21.184.4"

2018-09-17 15:21:51,295 +0800 ERROR sendemail:452 - {u'user1@abc.com.hk': (530, 'SMTP authentication is required.')} while sending mail to: user1@abc.com.hk

Re: Non-admin user with list_settings capability failed to send alert email when mail sever use SMTP auth.

daniel_splunk — Fri, 18 Jan 2019 07:58:08 GMT

You need to have admin role together with list_settings capability in order to send alert email when SMTP auth is used.

Re: Non-admin user with list_settings capability failed to send alert email when mail sever use SMTP auth.

scorrie_splunk — Wed, 18 Dec 2019 20:42:11 GMT

In my testing, you only needed to have the "list_settings" capability with a "user" role in order for this to work. (Using Splunk Cloud 7.2.9).

See this link: https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Alert/Emailnotification

This section: "Define an email notification for an alert or scheduled report"

Non-admin user with list_settings capability failed to send alert email when mail sever use SMTP auth.

leeraym — Tue, 29 Sep 2020 10:50:43 GMT

@daniel_splunk Is there no other way to allow non-admin users to send alert emails when SMTP authentication is required? Are there any other capabilities from the "admin" role that I can assign to the "user" role in order to allow regular users to send email?

I just upgraded from Splunk Enterprise 7.3.3 to 8.05, and one of my non-admin users said that his saved alerts used to be able to send him emails when we were on 7.3.3. Nothing has changed with his Splunk role or the SMTP authentication requirement between our pre- and post-Splunk upgrade.

Re: Non-admin user with list_settings capability failed to send alert email when mail sever use SMTP auth.

daniel_splunk — Thu, 01 Oct 2020 03:36:36 GMT

If your email account is SMTP auth enabled, you need to have admin role in order to read the email auth details such as password.

Re: Non-admin user with list_settings capability failed to send alert email when mail sever use SMTP auth.

kscher — Wed, 18 Nov 2020 14:31:14 GMT

So, if I understand how sendemail works when SMTP auth is required, a user needs the "admin_all_objects" capability" in order to read auth_username and auth_password from alert_actions.

This means regular users can't send email, as the credentials get passed to SMTP server with null values. These users generally see something like this:

command="sendemail", Connection unexpectedly closed while sending mail to: somebody@something.com.

Is this a feature or a bug?