Alerting

Why am I receiving error "SMTP AUTH extension not supported by server" when trying to configure an alert?

fab73
Path Finder

Weekly Report fires perfectly. SMTP Authentication is correctly configured in General Settings. And it works. Now I'm configuring an Alert base on an event (search result). Log shows me the the trigger works correctly but now I have send mail problem (??).

Python.log shows :

ERROR   sendemail:127 - Sending email. ....
ERROR   sendemail:392 - SMTP AUTH extension not supported by server. while sending mail to: ....

item in splunkd.log :

ERROR ScriptRunner - stderr from '/opt/splunk/bin/python /opt/splunk/etc/apps/search/bin/sendemail.py "results_link= .... ERROR:root:SMTP AUTH extension not supported by server. while sending mail to: ....

Any idea? it seems a permission problem.... The same SMTP is correctly authenticated at it works for the Report, but not in case of the Alert. Any Idea where to check?

0 Karma
1 Solution

fab73
Path Finder

I solved putting the port in the "Mail host" filed in general mail settings !!?? ourmailhost.foo.com:25.
Dont know why it makes difference. It is not a requested value if SSL or TLS is not used. And This is the case.

View solution in original post

fab73
Path Finder

I solved putting the port in the "Mail host" filed in general mail settings !!?? ourmailhost.foo.com:25.
Dont know why it makes difference. It is not a requested value if SSL or TLS is not used. And This is the case.

jkat54
SplunkTrust
SplunkTrust

Probably because the default port for TLS and SSL is not typically 25.

0 Karma

jkat54
SplunkTrust
SplunkTrust

If it works with a report but not this alert then one of the ways that is possible is if the report search is using the | sendemail command and has the correct auth in line, or your alert search is using the sendemail command with the incorrect auth in line.

The error is telling you that the mail server doesn't like the authentication method you are using. Your options are basic, ssl, and ssl with tls.

Please review the report's search and the alert search to see if one of them is using the sendemail command.

Another possibility is if the report or alert is in another Splunk app, check that Splunk app's local and default directories for a file called alert_actions.conf. This file can contain custom email settings and those settings only apply in the app that contains this file.

0 Karma

fab73
Path Finder

thanks anyway for your suggestions

0 Karma

fab73
Path Finder

Thanx in advance....

  1. The search generating the alert does not use any "| sendmail" command. I checked the search string opening "Open in search" on the alert list (correct?):

"| rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | eval quota=if(isnull(effective_quota),quota,effective_quota) | eval "% di utilizzo"=round(used_bytes/quota*100,2) | fields Pool "% di utilizzo" | where '% di utilizzo'>64"

this query is used to fire an alert when license usage goes over 64%. No sendmail command is here.

  1. Alert is configured in the App seacrh. But there is no alert_actions.conf in App search I suppose it uses the system conf. All alert_actions.conf files are

/opt/splunk/etc/apps/alert_logevent/default/alert_actions.conf
/opt/splunk/etc/apps/alert_webhook/default/alert_actions.conf
/opt/splunk/etc/system/local/alert_actions.conf
/opt/splunk/etc/system/default/alert_actions.conf

Anyway using btool for system config, all seems o be correct as for the Report......still investigating....

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...