Hi everyone,
We are trying to configure emails sending from Splunk through our SMTP server.
When i run
index=test sourcetype="_json" ERROR "message": "ORA*" | sendemail to="xx@xx.com" subject="Testing Email from Splunk" use_ssl=false use_tls=true server=xxx.mail.xxx:25
This works as expected and email is sent.
I then checked my email settings under Settings -> Server Settings -> Email Settings
and I had
mailserver: xxx.mail.xxx
TLS Enabled
Username and password filled
Leaving the settings like this will cause the error message:
ERROR sendemail:470 - SMTP AUTH extension not supported by server. while sending mail to:xxx@xxx.com
If I change the mail server to include port :25 I still get the same error
ERROR sendemail:470 - SMTP AUTH extension not supported by server. while sending mail to:xxx@xxx.com
Nevertheless, the sendemail directly from the search app will stop working with the settings including the port :25, i.e., now the same command we ran the in the beggining fails and produces the same error message:
ERROR sendemail:470 - SMTP AUTH extension not supported by server. while sending mail to:xxx@xxx.com
I am just trying to understand how can I test with sendemail command in splunk search and then mirror the correct settings to the Settings so that email triggers work. I am confused with how Settings configurations change the behaviour of sendemail command.
Could someone please help?
From you mail settings, remove the username and password, leave everything else.
With the settings you have in place, Splunk is trying to log in to your mail server, causing the "auth failure".
Try removing those and re-test.
Dear codebuilder, very much appreciate your answer!!! I almost lost hope to get a reply on this.
So, I did remove the username and password and this seemed to have worked for most of our emails and distribuition lists. For a couple of them that still didnt work, it was just becase sender authentication and other settings were misconfigured.
I tried port 465 or 587 but seemed that this didnt work for me as it timed out. on Port 25 still seemed to work and this is the port used by our mail server.
so to summarize what has worked for me:
Removed username and password from mail settings. left mailserver:25 in the host with TLS enabled
Many thanks!
Glad to help!
From you mail settings, remove the username and password, leave everything else.
With the settings you have in place, Splunk is trying to log in to your mail server, causing the "auth failure".
Try removing those and re-test.
Also, for SSL/TLS be sure that you are using port 465 or 587, not port 25. Port 25 is deprecated/unsupported/unsecure.
Your username/password may actually work with the correct port the more I think about it. I would test both methods.
Just checking but are you using the same user for both operations? The SMTP authentication requires the user have admin_all_objects as a capability.
Thank you for answering me!
Yes at the moment there is only my user cause we are in the starting phase of setting this up.
Seeing that there are not many answers to this, I’m considering going for some workarounds and maybe create a custom config that would call sendemail somehow instead of using the predefined email alert...