Reporting

How to troubleshoot why we are getting sendemail error "Connection closed unexpectedly" on test email?

Jarohnimo
Builder

I have 1 working Splunk box with SMTP. It is SSL Bound ( I did not set this box up). I have 1 more Splunk Box that isn't SSL bound and the SMTP isn't working ( I set this one up). When I try to send a email from a dashboard perhaps. Upon sending the test email it states:

Sending the test email failed: command="sendemail", Connection unexpectedly closed while sending mail to: someone@johndoe.com

I understand this very well maybe an issue with my environment either accepting on not accepting connections coming from a http vs https. I have the exact same SMTP server information in both servers. GUI > Settings > System Settings > Email Settings. I placed the host a name of the smtp vip (there's many smtp servers behind it). for example SMTP.Whatever.com

It works for the original box, but no luck on the new box. I'm unsure of where to go from here as I have found many people with this issue. I don't know enough about Splunk to understand what the source of the problem is? Is it Splunk not happy or the SMTP server? If so I wonder what I have to do to mitigate....

Thank you

0 Karma
1 Solution

Jarohnimo
Builder

Looks like I found out my own answer again..

This wasn't an SSL problem, This wasn't a Splunk Problem. This was an SMTP exception problem. The Team managing the SMTP Virtual name/ Servers needs to add your host name to the exceptions list allowing that server the ability to send outbound email.

your other options are getting a SMTP relay server setup where you can use that one Box (usually one of the server u manage) to send out the emails on your behalf (Opposed to the virtual name) downfall with this is it's a single point of failure where a Load Balanced SMTP virtual name... usually has more than one subnet represented its disaster recovery ready.

The last option is to setup Splunk as an SMTP server or another server locally that you manage.

If you work in an Enterprise or for a Gov. It's better and easier if you work this through your exchange team so that you have high availability with your email.

View solution in original post

Jarohnimo
Builder

Looks like I found out my own answer again..

This wasn't an SSL problem, This wasn't a Splunk Problem. This was an SMTP exception problem. The Team managing the SMTP Virtual name/ Servers needs to add your host name to the exceptions list allowing that server the ability to send outbound email.

your other options are getting a SMTP relay server setup where you can use that one Box (usually one of the server u manage) to send out the emails on your behalf (Opposed to the virtual name) downfall with this is it's a single point of failure where a Load Balanced SMTP virtual name... usually has more than one subnet represented its disaster recovery ready.

The last option is to setup Splunk as an SMTP server or another server locally that you manage.

If you work in an Enterprise or for a Gov. It's better and easier if you work this through your exchange team so that you have high availability with your email.

s2_splunk
Splunk Employee
Splunk Employee

If your SMTP server only accepts SSL connections, you won't be able to connect to it with an unencrypted connection. Do you know your email provider details?

0 Karma

Jarohnimo
Builder

I was able to Telnet to port 25 with that Virtual name so that led me away SSL being the issue. I also was able to use a local relay smtp server and it worked fine also (On the non SSL bound splunk box).

This is 100% Local (no internet).

Thank you for your help!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...