Alerting

How to send alerts via SMTP to O365?

BrendanCO
Path Finder

Hello all. I've set up Splunk to email me on a few types of alerts. On the Splunk server I set the mailhost as "smtp.office365.com:587", marked the box to use TLS, put in my username and password and saved the settings. Tried to keep it basic. On the Microsoft side, I set up the connector for the IP of the Splunk server in question.

When I look in the logs, I see "5.7.60 SMTP; Client does not have permissions to send as this sender"

When I telnet from the Splunk server to manually SMTP, I'm getting the same type error: "530 5.7.57 SMTP; Client was not authenticated to send anonymous mail during MAIL FROM
Connection closed by foreign host."

Do I need to set up sendmail on the Splunk server to handle SMTP forwarding? It seemed like Splunk was ready to go from the GUI to handle this traffic.

Thoughts?

Tags (2)
0 Karma
1 Solution

jwelch_splunk
Splunk Employee
Splunk Employee

The error you are getting is from your connector on the exchange side.

The permissions to use that connector are not set right. Putting sendmail on your box would only allow splunk to send to it, but then most likely when sendmail sends to your connector it would get the same error.

From your error it looks like it the problem is you are sending from abc.com to abc.com and it is not happy about that. Probably spoofing protection, but again this error is from your connector fix the perms there and you will be fine.

Okie

View solution in original post

0 Karma

klaxdal
Contributor

BrendanCO

I have set this up many times - the trick it seems is to use the MX record for your org as it pertains to O365 as an SMTP server

example:

.mail.protection.outlook.com no-encrytion .

I dont think I have ever got it working using a generic smtp.office365.com

No password or uname is required ( norrmally )

0 Karma

BrendanCO
Path Finder

Thanks jwelch. Yes, I think you are on to something in that there is a permissions issue on the O365 side. Naturally, the Microsoft guys are denying that.
Just to clarify, Splunk does not require sendmail or any other SMTP server service installed separately for Splunk to forward SMTP requests?

Thanks in advance.

0 Karma

jwelch_splunk
Splunk Employee
Splunk Employee

The error you are getting is from your connector on the exchange side.

The permissions to use that connector are not set right. Putting sendmail on your box would only allow splunk to send to it, but then most likely when sendmail sends to your connector it would get the same error.

From your error it looks like it the problem is you are sending from abc.com to abc.com and it is not happy about that. Probably spoofing protection, but again this error is from your connector fix the perms there and you will be fine.

Okie

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...