ERROR SMTP AUTH extension
I am trying to change the email extension Splunk uses to authenticate to an exchange server.
For example: Splunk uses something like splunk@server1
I need the domain of the From: address must be in DNS; mail with a From: address like firstname.lastname@example.org or root@server1 will not work
I need to have the extension resolve to a domain.com address. Been trying to look through the code to identify where the input of information is located, but am not quiet sure.
We plan on using this in a large environment, but it must work before and send out email alerts before hand using the environment we currently have in place.
In $SPLUNKHOME/etc/system/local/alertactions.conf, you can configure the from address to be anything you want:
from = email@example.com
You can also set this value in Manager->System Settings->Email Alert Settings
We don't use SMTP auth in our environment, so I can't speak to the specifics regarding that, but I can say that we use an FQDN (firstname.lastname@example.org) here, and it works without issue.
It does look like some have had success configuring the email server stuff in the actual search query itself, but I'm not sure if that helps...
I do appreciate the thought of placing this information in the Email Alert Settings of the gui, but understand, I HAVE done this, and this is NOT the problem.
Also, to follow along with your first suggestion seems more probable to my problem, and has been attempted. The one thing I am concerned with is the comment contained within the code,
"from email address (name only, host will be appended automatically from mailserver)"
It specifically states to use the NAME to auth ONLY. Even still I have tried both, but still same problem with how Splunk tries to auth with the server.
The email server configuration is in
I never tested that, but If the UI complains about the format or the server,
but you can try to add the server in it directly.
I located this by reading the code a bit. It does seem to be the right area to modify, but when changes are completed, it still uses the other format. I am still looking around to where ever else its calling this information, but haven't been too successful yet.
Any other thoughts?