Reporting

Getting permissions error with 'sendemail' after upgrading from 7 to 8.

ng87
Path Finder

Hi all 

I recently upgraded my Splunk instance to version 8.x (whatever the newest one was a week ago). I reconfigured pretty much everything as I had it before  (on v7.x) and I have noticed I can no longer get my email notification to work. 

I am using exactly the same settings for email as I used in version 7 but with version 8 I get these error messages : 

ERROR sendemail:475 - (550, '5.7.60 SMTP; Client does not have permissions to send as this sender') while sending mail to: nick.xxxxx@xxxxxx.xxx

I have configured Splunk to use our local exchange server for sending emails and its set to send emails as my self to myself. I have the correct settings/ports for TLS and the auth part, I have verified these settings using powershell and another python script and they both work, it's just Splunk that doesn't work. 

I suspect that something is being changed when the sendemail attempt happens but I cannot see anything in the logs to see exactly what is being sent. 

 Any ideas on how to troubleshoot? 

Looked in the splunkd.log and nothing really more than the above...

Labels (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

What is a command which you are using for sending those test mail or is it an alert?

Another log which could told more is python.log.

r. Ismo

0 Karma

ng87
Path Finder

It's a scheduled report that i am trying to send. Sadly python log did not have anything more usefull

2020-07-14 09:35:07,062 +0000 ERROR sendemail:142 - Sending email. subject="Splunk Report:  xxxx", results_link="http://10.21.56.47:8000/app/search/@go?sid=scheduler__admin__search__RMD5141fe5c68308f17b_at_1594719...", recipients="[u'xxxxx@xxxxxx']", server="xxxxxxxxxxxxx"
2020-07-14 09:35:07,062 +0000 ERROR sendemail:475 - (550, '5.7.60 SMTP; Client does not have permissions to send as this sender') while sending mail to: xxxxxxxxxxxxxxxx
2020-07-14 09:40:02,720 +0000 INFO sendemail:1162 - sendemail pdfgen_available = 1

0 Karma

isoutamo
SplunkTrust
SplunkTrust

This seems to be somehow SMTP server side issue. Can you check if this helps: https://community.splunk.com/t5/Archive/How-to-send-alerts-via-SMTP-to-O365/td-p/293513

r. Ismo

0 Karma

ng87
Path Finder

Thanks for  the link , somehow doubt that is the issue since i can use pretty much the same settings to send an email using powershell/python . Oh well search continues...

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Does the command sendemail from GUI working?

r. Ismo

0 Karma

ng87
Path Finder

Well it works in the way that it actually runs and i still get the same error :

command="sendemail", (550, '5.7.60 SMTP; Client does not have permissions to send as this sender') while sending mail to: nick.giannoulis@xxxxxx.com

 

Time to get wireshark out and see if i can spot the issue.

0 Karma

ng87
Path Finder

Ok this has got weird now. Rebooted and now i can send emails via the 'command line' in the gui but not the automated way.

Example :

index=* | head 10 | sendemail to="nick.giannoulis@xxxx.com" from="nick.giannoulis@xxxx.com" subject="test" server="imapoutgoing.xxxxxxxxx.net:587" use_tls=true

This works fine.

 

My scheduled report still does not work though. 

The settings i have put in at Settings | Server Settings | Emails settings are the same as above :

Maihost : imapoutgoing.xxxxxxx.net:587   | Enable TLS

Send email as : nick.giannoulis@xxxx.com   ( copy & paste from the above just in case ) 

This is the error from the logs :

07-17-2020 11:30:04.296 +0100 ERROR ScriptRunner - stderr from 'C:\Program Files\Splunk\bin\Python2.exe C:\Program Files\Splunk\etc\apps\search\bin\sendemail.py "results_link=http://10.21.56.47:8000/app/search/@go?sid=scheduler__admin__search__RMD5141fe5c68308f17b_at_1594981800_1" "ssname=Joe_Report" "graceful=True" "trigger_time=1594981800" results_file="C:\Program Files\Splunk\var\run\splunk\dispatch\scheduler__admin__search__RMD5141fe5c68308f17b_at_1594981800_1\results.srs.zst" "is_stream_malert=False"': ERROR:root:(550, '5.7.60 SMTP; Client does not have permissions to send as this sender') while sending mail to: nick.giannoulis@xxxxxxxxx.com

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Is your windows version supported by Splunk for 8.x.x?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!