Splunk Enterprise

Email - Security - Enable TLS not working

deckemha
Explorer

Hello all,

I've a problem in Splunk Enterprise 7.3 when I want to Enable TLS for Mail delivery.

Problem:

When I activate email security to TLS (Server settings -> Email settings -> Enable TLS) the email delivery is not working anymore.

The SMTP server connection is working (server:port is provided) when I set Email Security to "none".

The logs on the SMTP server have the following error:

smtpd[252494]: SSL_accept error from <splunk_server> [xx.xxx.xx.xxx]: -1
smtpd[252494]: warning: TLS library problem: 252494:error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher:s3_srvr.c:1427:
smtpd[252494]: lost connection after STARTTLS from <splunk_server> [xx.xxx.xx.xxx]
smtpd[252494]: disconnect from <splunk_server> [xx.xxx.xx.xxx], message count 0

Looks like a problem with the used ciphers.

I've checked alertaction.conf in splunk. The following standard settings are set.

sslVersions = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

Do you have any ideas, how to solve this or where to look further?

Thanks and many Regards

Michael

Tags (2)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

you need to check what are supported chippers and versions of your SMTP mail server.

r. Ismo

View solution in original post

isoutamo
SplunkTrust
SplunkTrust

Hi

you need to check what are supported chippers and versions of your SMTP mail server.

r. Ismo

deckemha
Explorer

Hello Soutamo,

thanks a lot! That helped me to find the correct solution.

I've checked the supported ciphers of our SMTP mail gateway and found out they did not match -> basically thats what the error messages says.. 🙂

After adjusting the splunk alertsaction.conf with a appropriate cipher suite sending emails via TLS is working fine now.

Many Regards

Michael

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...