Re: Getting error "sendemail:1370": Users can't se...

netspin · ‎08-07-2020

Hi all, after upgrade to 8.0.5 from 7.2.6 all my users can't send mail using sendemail.py because they don't have access to mail settings:

ERROR sendemail:1370 - Could not get email credentials from splunk, using no credentials. Error: [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/services/admin/alert_actions/email

I've already checked that list_settings is added to roles. If I add admin_all_objects users can send but I don't want to add that capability to all users.

Is there other capability to add other that list_settings to enable user to send mail?

Thanks

apietersen · ‎03-29-2021

created an Idea on:

sole the issue: sendemail without the cost of a security | Ideas (splunk.com)

unfortunately I have only 1 Votes yet 🙂 - so a solution soon is not expected

apietersen · ‎03-29-2021

FyI: Recent answer from Splunk Support:

Previously mentioned bugs, SPL-194202 being one of them addressed the issue where alerts created by a user with role "user" would not be sent if they didn't have the admin_all_objects capability - this has been fixed. This is different from using the "sendemail" command directly from any search - I'm afraid this is working as documented (it will not work unless the previously discussed capabilities are added to the user role), please see the documentation on that:

https://docs.splunk.com/Documentation/Splunk/latest/Alert/Emailnotification#Define_an_email_notifica...

https://docs.splunk.com/Documentation/Splunk/latest/Alert/Emailnotification#User_role_configuration_... (https://docs.splunk.com/Documentation/Splunk/8.1.3/Alert/Emailnotification#User_role_configuration_f...)

If you are sending an email notification to a server that requires SMTP authentication, you must have the admin role assigned. (https://docs.splunk.com/Documentation/Splunk/latest/Alert/Emailnotification#Use_a_search_command_to_... (truncated, see original email for full text)

Conclusion: this will not be fixed in any version because it works as documented 😞

grant_c · ‎03-28-2021

I cant find anyone with this issue on version 7.12, but it looks to be slightly different

sendemail:460 - Connection unexpectedly closed while sending mail to:<Email>

this is when you send a test email from the export PDF "send test email" link

2021-03-29 09:25:09,687 +1300 INFO sendemail:1296 - Generated PDF for email
2021-03-29 09:25:15,035 +1300 ERROR sendemail:137 - Sending email. subject="Splunk Dashboard: <Name>", results_link="None", recipients="[u'<User>']", server="smtp.office365.com:587"

When sending as admin It works as I assume that is needs to pass on the creds (which you cant specify when using "send test email" ) and only works when testing it from a Admin account.

We are planning to go to the cloud so updating to the 8.0.6 (so called fixed version) it not on the cards and someone says its an issue in the cloud which i hope was resolved?

any work around for now?

grant_c · ‎03-28-2021

NVM I found some interesting information

For a number of version now the requirements are

User role configuration for PDF delivery

The following capabilities are required for PDF delivery scheduling.

schedule_search
admin_all_objects. This capability is required if the mail host requires login credentials.
list_settings

Email notification action - Splunk Documentation

so the only way to "Allow" this is to give a role this capability (rather not) or setup a local SMTP to forward the email to O365

apietersen · ‎03-03-2021

same here, I am now in version 8.1.2, no solution yet. Reported (again) to support for a final solution.

https://docs.splunk.com/Documentation/Splunk/8.1.2/ReleaseNotes/KnownIssues

In my opnion this is nothing else than a security breach. Security for regular user is "wide open" if you want use this sendemail function. This issue has already a long history in version and the the lack of urgency begins to worry me.

lakromani · ‎09-02-2020

Fixed issue in 8.0.6

2020-08-26

SPL-194243, SPL-193332

After upgrade to version 8.0.5, the splunk user needs the "admin_all_objects" capability to send email alert

matthewroberson · ‎09-02-2020

I see now that this is a Highlighted Issue in the release notes. Hope they fix it soon...

thambisetty · ‎08-07-2020

Can you try re-entering the password in email settings.

————————————
If this helps, give a like below.

netspin · ‎08-09-2020

I think credential is correctly stored as if I login using admin mail is working.

The issue is with user without admin priviledge (but with list_settings capabilities).

Thanks

matthewroberson · ‎08-31-2020

Same issue here. After upgrading to 8.0.5 alerts that were working, don't work unless i change the owner to an admin user.

mne · ‎08-12-2020

I have the same problem. If I add "list_settings" to role user. Then users can send mail, but get an error in python.log:

sendemail:1370 - Could not get email credentials from splunk, using no credentials. Error: [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/services/admin/alert_actions/email

w531t4 · ‎07-02-2021

we're experiencing this issue, too? Did you find a fix?

matthewroberson · ‎07-02-2021

We upgraded to 8.0.6 and that resolved the issue.

_smp_ · ‎08-18-2020

Me too, in Splunk Cloud.

apietersen · ‎07-04-2021

I created an idea some time ago for this issue, see

sole the issue: sendemail without the cost of a security | Ideas (splunk.com)

It appears to be in a stage of consideration.

Getting error "sendemail:1370": Users can't send mail after upgrade from 7.2.6 to 8.0.5.

upgrade

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?