Reporting

sendemail does not issue STARTTLS properly with the SMTP server.

mattwh
Engager

Hi Splunk,

My company recently purchased the enterprise edition after using free for year or two, and so I've been digging into the various features unlocked to us. Currently I've been working with alerting and trying to configure Splunk to send e-mails, however I've run into some issues.

To start, I'm using the command below to test the e-mail configuration:

index=main | head 5 | sendemail to=matthew_blahblah@yaddayadda.com server="email-smtp.us-west-2.amazonaws.com:587" subject="Here is an email notification" message="This is an example message" sendresults=true inline=true format=raw sendpdf=true

I was originally trying to use alerts to test, however the error reporting with that method is abysmal, as it only ever gave me a
'ERROR:root:[Errno 111] Connection refused while sending mail' in the splunkd.log.

By using the command mentioned above, I was finally able to get a better error message:

'command="sendemail", (530, 'Must issue a STARTTLS command first') while sending mail to:'

This is the ${SPLUNKHOME}/etc/system/local/alert_actions.conf

[email]
auth_password = PASSHERE
auth_username = USERHERE
from = splunk@yaddayadda.com
mailserver = email-smtp.us-west-2.amazonaws.com:587
use_tls = 1
use_ssl = 0
hostname = 127.0.0.1

I've tried switching it over to SSL and using port 443 but it generates the same error.

Is this something I can specify in the search string, or will I need to mess around with the python script?

Also, the e-mail settings page in the Splunk web GUI will clear out the SMTP password every time you save, unless one is entered. This means every time I make a change to the config using the GUI, I need to enter the password. I don't know if this is the intended functionality, just thought I'd give you guys a heads up.

EDIT: Thank you for the code block, and I forgot to mention we're on the latest version of Splunk, 6.2.1.

1 Solution

mattwh
Engager

EDIT: This only appears to work with in-line email commands, Alert e-mails still do not seem to work with this fix.

Alright folks, here's what I did to fix this. Remember I'm using AWS as my SMTP server so things might not be the same for you.

First the STARTTLS issue. It appears that Splunk is not properly reading or setting the variable from the config file, and thus is failing to trip an if startment. You'll need to edit ${SPLUNKHOME}/etc/apps/search/bin/sendemail.py. Our problems is the following bit of code:

if use_tls:
    smtp.starttls()

All that's needed is to change the variable at the beginning of the function, like so:

#use_tls    = normalizeBoolean(ssContent.get('action.email.use_tls', False))
use_tls    = normalizeBoolean(ssContent.get('action.email.use_tls', True))

With that done, TLS should be functional. However I ran into a second error:

command="sendemail", (554, "Transaction failed: User name is missing: 'splunk'.") while sending mail to: matthew_blahblah@yaddayadda.com

This is basically is AWS telling me the From address is not on the verified senders list. I knew the senders address in the config file was verified, so after some more digging I found the final piece to the puzzle:

def buildHeaders(argvals, ssContent, email, sid, serverInfoContent):

    sender  = ssContent.get("action.email.from", "splunk")

Find that chunk of code and replace "splunk" with your actual from address and you should be good to go! Example for extra clarification:

def buildHeaders(argvals, ssContent, email, sid, serverInfoContent):

    sender  = ssContent.get("action.email.from", "splunk@yaddayadda.com")

I hope this helps!

View solution in original post

ThomasKoeberlei
Explorer

Try to use the command with the argument: use_tls=false

0 Karma

mattwh
Engager

EDIT: This only appears to work with in-line email commands, Alert e-mails still do not seem to work with this fix.

Alright folks, here's what I did to fix this. Remember I'm using AWS as my SMTP server so things might not be the same for you.

First the STARTTLS issue. It appears that Splunk is not properly reading or setting the variable from the config file, and thus is failing to trip an if startment. You'll need to edit ${SPLUNKHOME}/etc/apps/search/bin/sendemail.py. Our problems is the following bit of code:

if use_tls:
    smtp.starttls()

All that's needed is to change the variable at the beginning of the function, like so:

#use_tls    = normalizeBoolean(ssContent.get('action.email.use_tls', False))
use_tls    = normalizeBoolean(ssContent.get('action.email.use_tls', True))

With that done, TLS should be functional. However I ran into a second error:

command="sendemail", (554, "Transaction failed: User name is missing: 'splunk'.") while sending mail to: matthew_blahblah@yaddayadda.com

This is basically is AWS telling me the From address is not on the verified senders list. I knew the senders address in the config file was verified, so after some more digging I found the final piece to the puzzle:

def buildHeaders(argvals, ssContent, email, sid, serverInfoContent):

    sender  = ssContent.get("action.email.from", "splunk")

Find that chunk of code and replace "splunk" with your actual from address and you should be good to go! Example for extra clarification:

def buildHeaders(argvals, ssContent, email, sid, serverInfoContent):

    sender  = ssContent.get("action.email.from", "splunk@yaddayadda.com")

I hope this helps!

kevinmanson
Explorer

Splunk,

Please tell me there is a bug created for this issue and it is going to be resolved at some point.

0 Karma

ppablo
Retired

Hi @kevinmanson

Leaving a comment on Splunk Answers isn't the best way to get visibility on and track a bug's progress (if there is a bug filed). If you don't see this in the known issues page from documentation:
http://docs.splunk.com/Documentation/Splunk/6.2.4/ReleaseNotes/Knownissues

I would file a bug here:
http://www.splunk.com/r/bugs

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...