I recently upgraded my Splunk instance to version 8.x (whatever the newest one was a week ago). I reconfigured pretty much everything as I had it before (on v7.x) and I have noticed I can no longer get my email notification to work.
I am using exactly the same settings for email as I used in version 7 but with version 8 I get these error messages :
ERROR sendemail:475 - (550, '5.7.60 SMTP; Client does not have permissions to send as this sender') while sending mail to: firstname.lastname@example.org
I have configured Splunk to use our local exchange server for sending emails and its set to send emails as my self to myself. I have the correct settings/ports for TLS and the auth part, I have verified these settings using powershell and another python script and they both work, it's just Splunk that doesn't work.
I suspect that something is being changed when the sendemail attempt happens but I cannot see anything in the logs to see exactly what is being sent.
Any ideas on how to troubleshoot?
Looked in the splunkd.log and nothing really more than the above...
It's a scheduled report that i am trying to send. Sadly python log did not have anything more usefull
2020-07-14 09:35:07,062 +0000 ERROR sendemail:142 - Sending email. subject="Splunk Report: xxxx", results_link="http://10.21.56.47:8000/app/search/@go?sid=scheduler__admin__search__RMD5141fe5c68308f17b_at_1594719...", recipients="[u'xxxxx@xxxxxx']", server="xxxxxxxxxxxxx"
2020-07-14 09:35:07,062 +0000 ERROR sendemail:475 - (550, '5.7.60 SMTP; Client does not have permissions to send as this sender') while sending mail to: xxxxxxxxxxxxxxxx
2020-07-14 09:40:02,720 +0000 INFO sendemail:1162 - sendemail pdfgen_available = 1
Well it works in the way that it actually runs and i still get the same error :
command="sendemail", (550, '5.7.60 SMTP; Client does not have permissions to send as this sender') while sending mail to: email@example.com
Time to get wireshark out and see if i can spot the issue.
Ok this has got weird now. Rebooted and now i can send emails via the 'command line' in the gui but not the automated way.
index=* | head 10 | sendemail to="firstname.lastname@example.org" from="email@example.com" subject="test" server="imapoutgoing.xxxxxxxxx.net:587" use_tls=true
This works fine.
My scheduled report still does not work though.
The settings i have put in at Settings | Server Settings | Emails settings are the same as above :
Maihost : imapoutgoing.xxxxxxx.net:587 | Enable TLS
Send email as : firstname.lastname@example.org ( copy & paste from the above just in case )
This is the error from the logs :
07-17-2020 11:30:04.296 +0100 ERROR ScriptRunner - stderr from 'C:\Program Files\Splunk\bin\Python2.exe C:\Program Files\Splunk\etc\apps\search\bin\sendemail.py "results_link=http://10.21.56.47:8000/app/search/@go?sid=scheduler__admin__search__RMD5141fe5c68308f17b_at_1594981800_1" "ssname=Joe_Report" "graceful=True" "trigger_time=1594981800" results_file="C:\Program Files\Splunk\var\run\splunk\dispatch\scheduler__admin__search__RMD5141fe5c68308f17b_at_1594981800_1\results.srs.zst" "is_stream_malert=False"': ERROR:root:(550, '5.7.60 SMTP; Client does not have permissions to send as this sender') while sending mail to: email@example.com