Unable to get email alerts working


(Greyclear) #1

I can’t seem to get my email alerts working. I downloaded and imported an OVA template to vmware. When I click test alert it says: Sending test alert notification failed with message: Sending the email to the following server failed : 10.1.1.80:25

Here are my settings

transport_email_enabled = true
transport_email_hostname = ipaddress
transport_email_port = 25
transport_email_use_auth = true
transport_email_use_tls = true
transport_email_use_ssl = true
transport_email_auth_username = noreply@dot com
transport_email_auth_password = xxxxx
transport_email_subject_prefix = [graylog]
transport_email_from_email = graylog@example dot com

If I tcpdump you can see the connection is being made when I hit test.

If I telnet to the exchange server from the command line it works just fine and I do get the email to my inbox

ubuntu@graylog:/opt/graylog/conf$ telnet 10.1.1.80 25
Trying 10.1.1.80…
Connected to 10.1.1.80.
Escape character is ‘^]’.
220 EXCHANGESERVER.local Microsoft ESMTP MAIL Service ready at Tue, 10 Apr 2018 08:09:45 -0500
HELO linuxserver
250 EXCHANGESERVER.local Hello [10.2.2.53]
MAIL FROM: graylog@dot com
250 2.1.0 Sender OK
RCPT TO:myemailaddress@dot com
250 2.1.5 Recipient OK
DATA
354 Start mail input; end with .
SUBJECT: sending a test email
Hello from this graylog test setup
.
250 2.6.0 <ace82be2-774f-4682-b17f-26d7272c1c24@EXCHANGESERVER local> [InternalId=5108656] Queued mail for delivery
quit
221 2.0.0 Service closing transmission channel
Connection closed by foreign host.

Is there any other logs on the system I can look at to see why it is failing? If I had to guess the exchange server is rejecting the test email alert.


(Jan Doberstein) #2

if you redacted anything and haven’t done that at all levels the same way we can’t help you. But your telnet test wasn’t match the configuration in graylog.


(Greyclear) #3

redacted information is for privacy reasons not sure what you mean by “haven’t done that at all levels the same way”

telnet session is just to prove that I can communicate with my exchange server from the command line just fine. Its only from the graylog GUI where setting up an alert fails


(Jan Doberstein) #4

you have not tested the telnet session with the data that is present in your graylog configuration.

AFAIK it could be easy to not accept messages from @example.com by the Mail server configuration and is default at exchange.

Test with the same data you have configured in graylog - check your graylog server.log what is written if you hit the test notification button.


(Greyclear) #5

Information is the same


(Jochen) #6

If it was the same, it would work, wouldn’t it? :wink:


(Greyclear) #7

That’s why I am here asking why it is not working :wink: The information is exactly the same. The GUI says it fails but doesn’t tell me why. very little for me to go off of.


(Jan Doberstein) #8

let me quote myself:

Test with the same data you have configured in graylog - check your graylog server.log what is written if you hit the test notification button.

Location of Logfiles are documented here: http://docs.graylog.org/en/2.4/pages/configuration/file_location.html#omnibus-package


(Jochen) #9

Please post the necessary information again but this time redact only the necessary parts and most important, redact the information consistently. From your first post it’s pretty non-obvious which credentials and connection details you’ve been using.

And of course what Jan already said twice:


(Roger Mier) #10

What they’re saying is that your line:
transport_email_hostname = ipaddress

does not match your telnet session using IP: 10.1.1.80

If you redacted the transport_email_hostname, and then didn’t redact the IP in the telnet output, the redaction wasn’t useful, so maybe that wasn’t actually a redaction, maybe that’s what your conf file looks like.
If you didn’t redact it, and transport_email_hostname is set to ‘ipaddress’, then that’s the problem. It should be set to the IP you used in the telnet session.

From what you’ve posted, we can’t tell which it is.


(Greyclear) #11

When I posted originally it wouldn’t let me post because I was a new member, it said you are only allowed two links and it converted some of the information to URLs so I have to format it a little so it would let me post and I also had to remove our domain for privacy reasons.

The transport host name is the same in my telnet session sorry about all the confusion I will post my telnet results tomorrow time permitting been a little busy today, thanks for the help.


(Jochen) #12

Either properly format your text snippets (see https://help.github.com/articles/creating-and-highlighting-code-blocks/) or use a pastebin service such as https://gist.github.com/ or https://0bin.net/ to share your configuration and text files.


(Ofentse) #13

I had to use graylog-ctl script to configure SMTP relay. Then ensure that in Alerts GUI, I have no FROM email address set. Then notifications will work. This is for Graylog 2.4.0 appliance


(Ofentse) #14

Also remember that you need to explicitly state that you arent using TLS nor SSL for SMTP email. It seems by default the email channel from Graylog is in SSL.


(Greyclear) #15

Here are two screenshots of the telnet results and my config. I have tried with SSL/TLS and without SSL/TLS

What it says from the web browser when I select test alert.

Could not send test alert notification
Sending test alert notification failed with message: Sending the email to the following server failed : 10.1.1.80:25


(Greyclear) #16


(Jochen) #17

Unless you provide the logs of your Graylog node(s) which have been requested three times now, we can’t help you.

This being said, you should take another look at what @ofentselogger wrote:


(Greyclear) #18

ubuntu@graylog:/opt/graylog/conf$ cd /var/log/graylog/server/
-bash: cd: /var/log/graylog/server/: Permission denied

ubuntu@graylog:/opt/graylog/conf$ cd /var/opt/graylog/data/journal
-bash: cd: /var/opt/graylog/data/journal: Permission denied

Reason I haven’t posted logs is because I cannot access them.


(Jochen) #19

They’re only readable for the root user.

Try changing to root via sudo -i first.


(Greyclear) #20

2018-04-11_13:56:25.80509 onnect(SMTPTransport.java:748) ~[graylog.jar:?]
2018-04-11_13:56:25.80517 at javax.mail.Service.connect(Service.java:388) ~[graylog.jar:?]
2018-04-11_13:56:25.80935 at javax.mail.Service.connect(Service.java:246) ~[graylog.jar:?]
2018-04-11_13:56:25.81647 at javax.mail.Service.connect(Service.java:195) ~[graylog.jar:?]
2018-04-11_13:56:25.82210 at javax.mail.Transport.send0(Transport.java:254) ~[graylog.jar:?]
2018-04-11_13:56:25.82451 at javax.mail.Transport.send(Transport.java:124) ~[graylog.jar:?]
2018-04-11_13:56:25.82894 at org.apache.commons.mail.Email.sendMimeMessage(Email.java:1459) ~[graylog.jar:?]
2018-04-11_13:56:25.83274 … 33 more

I run tail -f then hit test, this is what I see. let me dig some more