Difference between revisions of "Pandora: Configuration emails alerts"

From Pandora FMS Wiki
Jump to: navigation, search
(Postfix Setup)
(Postfix Setup)
Line 69: Line 69:
 
2-- Create the /etc/postfix/sasl/passwd file with your gmail address and password (you must create the “sasl” directory and then create the passwd file in there).
 
2-- Create the /etc/postfix/sasl/passwd file with your gmail address and password (you must create the “sasl” directory and then create the passwd file in there).
  
To create the “sasl” directory use command:
+
To create the “sasl” directory:
  
 
  mkdir /etc/postfix/sasl
 
  mkdir /etc/postfix/sasl
  
To create the passwd file, use this command:
+
To create the passwd file:
  
 
  nano /etc/postfix/sasl/passwd
 
  nano /etc/postfix/sasl/passwd
Line 81: Line 81:
 
  [smtp.gmail.com]:587 [email protected]:PASSWORD
 
  [smtp.gmail.com]:587 [email protected]:PASSWORD
  
Protect it accordingly:
+
Protect the password file accordingly:
  
 
  chmod 600 /etc/postfix/sasl/passwd
 
  chmod 600 /etc/postfix/sasl/passwd
Line 87: Line 87:
 
This will allow only root users to access the file.
 
This will allow only root users to access the file.
  
3-- Transform /etc/postfix/sasl/passwd into a hash type indexed file using the following command. This will create a lookup table via postmap:
+
3-- Transform /etc/postfix/sasl/passwd into a hash type indexed file. This will create a lookup table via postmap:
  
 
  postmap /etc/postfix/sasl/passwd
 
  postmap /etc/postfix/sasl/passwd
  
Issuing this command will create a passwd.db file.
+
Issuing this command will create a passwd.db file in the /etc/postfix/sasl/ directory.
  
4-- The next part is for installing Gmail and Equifax certificate. Pre-built Pandora FMS ISO and VMware virtual image do not have these certificates by default. If you have the certificates installed, then you can skip this part.
+
4-- Now to install the Gmail and Equifax certificates. Pre-built Pandora FMS ISO and VMware virtual image do not have these certificates by default. If you have the certificates installed, then you can skip this part.
  
 
To install the Gmail certificate, follow these steps:
 
To install the Gmail certificate, follow these steps:
Line 101: Line 101:
 
  cd /etc/pki/tls/
 
  cd /etc/pki/tls/
  
We need to download Equifax certificate. First, enter this command:
+
We need to download Equifax certificate.
 
  sudo wget -O Equifax_Secure_Certificate_Authority.pem https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer
 
  sudo wget -O Equifax_Secure_Certificate_Authority.pem https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer
  
Line 107: Line 107:
 
  chmod 644 Equifax_Secure_Certificate_Authority.pem
 
  chmod 644 Equifax_Secure_Certificate_Authority.pem
  
We also need to request the sign for the certificate:
+
We also need to request the signature for the certificate:
 
  openssl x509 -in Equifax_Secure_Certificate_Authority.pem -fingerprint -subject -issuer -serial -hash -noout
 
  openssl x509 -in Equifax_Secure_Certificate_Authority.pem -fingerprint -subject -issuer -serial -hash -noout
  
Line 113: Line 113:
 
  yum install openssl-perl
 
  yum install openssl-perl
  
Please note that this did not go so well for me on the ISO or VMware image install.  At this point I took the following additional steps
+
If you receive errors attempting to install openssl-perl, I took the following additional steps to resolve this problem:
 
   sudo su
 
   sudo su
 
   nano /etc/yum.repos.d/extra_repos.repo
 
   nano /etc/yum.repos.d/extra_repos.repo
Line 127: Line 127:
 
  nano /etc/pki/tls/gmail.pem
 
  nano /etc/pki/tls/gmail.pem
  
and paste these lines to the gmail.pem file:
+
and paste these lines into the gmail.pem file:
 
  -----BEGIN CERTIFICATE-----
 
  -----BEGIN CERTIFICATE-----
 
  MIIDWjCCAsOgAwIBAgIKYgy3qQADAAAJ5zANBgkqhkiG9w0BAQUFADBGMQswCQYD
 
  MIIDWjCCAsOgAwIBAgIKYgy3qQADAAAJ5zANBgkqhkiG9w0BAQUFADBGMQswCQYD
Line 157: Line 157:
 
  openssl s_client -connect pop.gmail.com:995 -CApath /etc/pki/tls
 
  openssl s_client -connect pop.gmail.com:995 -CApath /etc/pki/tls
  
The important bits are the Verify return code:0 (ok), and the final OK Gpop ready.  If you get them then you can connect to GMail.
+
The important point is to Verify the return code:0 (ok), and the final OK Gpop ready.  If you get them then you can connect to GMail.
  
 
Now let’s create the Equifax_secure_CA.pem file:
 
Now let’s create the Equifax_secure_CA.pem file:
Line 192: Line 192:
 
  /etc/init.d/postfix restart
 
  /etc/init.d/postfix restart
  
6 - You can verify the performance by opening two consoles. You should execute the following command in one of them to monitor the behavior of the mail:
+
6 - You can verify the performance by opening two consoles. You should execute the following command in one console to monitor the behavior of the mail:
  
 
  tail -f /var/log/mail.log
 
  tail -f /var/log/mail.log
Line 217: Line 217:
 
   Find the line that says, "inet_protocols = all" and change to "inet_protocols = ipv4"
 
   Find the line that says, "inet_protocols = all" and change to "inet_protocols = ipv4"
 
   then
 
   then
   sudo /etc/init.d/postfix reload to restart Postfix.
+
   sudo /etc/init.d/postfix restart to restart Postfix.
  
 
[[Category:Pandora FMS]]
 
[[Category:Pandora FMS]]

Revision as of 02:34, 9 May 2015

1 Quick email setup guide for alerts in Pandora FMS

1.1 Email configuration with a Gmail account

In order to configure Pandora FMS to send alerts via Gmail, Pandora and Postfix must be configured this way:

1.1.1 Pandora's Configuration

In order to properly configure your email with a Gmail account, all the fields must have the following comments in the Pandora FMS server configuration file (/etc/pandora/pandora_server.conf) except the mta_address field, which will be configured with the IP server or localhost (where the postfixserver is installed).

If Postfix is installed in the same server than Pandora FMS, the configuration in the pandora_server.conf would be like this:

mta_address localhost 
#mta_port 25
#mta_user [email protected]
#mta_pass mypassword
#mta_auth LOGIN
#mta_from Pandora FMS <[email protected]>


Now, I would like to show you briefly how to configure an alert in the Pandora FMS console.

1.1.1.1 Action Setup

To set the mail recipient, use the mail action to XXX so you can add an email recipient to which all the mail alerts will be sent.


GMAIL1.png

1.1.1.2 Alert setup

In this case, the module configuration has been generated in the module configuration> Alerts, a new alert with the module as the one that you can see in the screenshot below.


GMAIL2.png

Once the alert is fired, you can see how the alert reaches the e-mail picked in the action:


GMAIL3.png


GMAIL4.png

1.1.2 Postfix Setup

Assuming you already installed Postfix and everything works fine except sending to gmail smtps, here are the steps to follow:

1-- Edit the /etc/postfix/main.cf configuration file and add the following lines at the end of the file:

relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
smtp_sasl_security_options = noanonymous
smtp_use_tls = yes
smtp_tls_CAfile = /etc/postfix/cacert.pem

2-- Create the /etc/postfix/sasl/passwd file with your gmail address and password (you must create the “sasl” directory and then create the passwd file in there).

To create the “sasl” directory:

mkdir /etc/postfix/sasl

To create the passwd file:

nano /etc/postfix/sasl/passwd

And paste the line below with your own gmail address and password inserted:

[smtp.gmail.com]:587 [email protected]:PASSWORD

Protect the password file accordingly:

chmod 600 /etc/postfix/sasl/passwd

This will allow only root users to access the file.

3-- Transform /etc/postfix/sasl/passwd into a hash type indexed file. This will create a lookup table via postmap:

postmap /etc/postfix/sasl/passwd

Issuing this command will create a passwd.db file in the /etc/postfix/sasl/ directory.

4-- Now to install the Gmail and Equifax certificates. Pre-built Pandora FMS ISO and VMware virtual image do not have these certificates by default. If you have the certificates installed, then you can skip this part.

To install the Gmail certificate, follow these steps:

Google’s SSL cert is signed by Equifax – so first we need to fetch that. Move to “tls” directory:

cd /etc/pki/tls/

We need to download Equifax certificate.

sudo wget -O Equifax_Secure_Certificate_Authority.pem https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer

Now let’s add the permissions to the downloaded file:

chmod 644 Equifax_Secure_Certificate_Authority.pem

We also need to request the signature for the certificate:

openssl x509 -in Equifax_Secure_Certificate_Authority.pem -fingerprint -subject -issuer -serial -hash -noout

Next we need need to install the GMail cert. The first thing we need is the c_rehash util, so lets install its package:

yum install openssl-perl

If you receive errors attempting to install openssl-perl, I took the following additional steps to resolve this problem:

 sudo su
 nano /etc/yum.repos.d/extra_repos.repo
 In the #percona repository I changed the baseurl line to:  http://repo.percona.com/centos/6/os/x86_64/
 ^O to write the edited file
 ^x to exit
 After returning to root terminal, enter "yum install openssl-perl" and accept the defaults

Next we need to actually acquire the certificate for GMail. So use openssl to do this:

openssl s_client -connect pop.gmail.com:995 -showcerts

The output should contain the required lines for the certificate and we need to copy them to /etc/pki/tls/gmail.pem file. For this, create the file:

nano /etc/pki/tls/gmail.pem

and paste these lines into the gmail.pem file:

-----BEGIN CERTIFICATE-----
MIIDWjCCAsOgAwIBAgIKYgy3qQADAAAJ5zANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0wOTA3MTcxNzE2NTVaFw0xMDA3MTcxNzI2NTVa
MGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRYwFAYDVQQDEw1wb3Au
Z21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTHqjJfnRXdpmZ
4iP/WNCpvzX4N97bEZ3rvS4aDYey/DJetKZqp9DK1Ie4/C5j8M1aakwiTNA/eHS/
wNWVgQx8+HxproYKUeeYj3shYKEkHGfrRYBcyCxc7Gd6NSGaaYru3Z7nJ+STIPUJ
E1N35JAwcjjdITVI2O4LckAL4b7GkwIDAQABo4IBLDCCASgwHQYDVR0OBBYEFIln
0T5I8Mw6cqhtUS4pyMGYRxOTMB8GA1UdIwQYMBaAFL/AMOv1QxE+Z7qekfv8atrj
axIkMFsGA1UdHwRUMFIwUKBOoEyGSmh0dHA6Ly93d3cuZ3N0YXRpYy5jb20vR29v
Z2xlSW50ZXJuZXRBdXRob3JpdHkvR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkuY3Js
MGYGCCsGAQUFBwEBBFowWDBWBggrBgEFBQcwAoZKaHR0cDovL3d3dy5nc3RhdGlj
LmNvbS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS9Hb29nbGVJbnRlcm5ldEF1dGhv
cml0eS5jcnQwIQYJKwYBBAGCNxQCBBQeEgBXAGUAYgBTAGUAcgB2AGUAcjANBgkq
hkiG9w0BAQUFAAOBgQCEGIebkDpktdjtzMiTTmEiN7e4vc73hEI4K0jYKyY0Wn5N
dc44AXTfIWOzsikwb886PCUSevGs9rcw2/kaHdPaBSuGrzSCf8ODQqTC3odry3lo
PtZGr6nf/81F5UW71+bE1iWOQlJ5/olWOr2SlqYla1iOmosEctD/GyoFnDh+BA==
-----END CERTIFICATE-----

Next we need to run the c_rehash util:

cd /etc/pki/tls

and

c_rehash .

Finally, we can test it with:

openssl s_client -connect pop.gmail.com:995 -CApath /etc/pki/tls

The important point is to Verify the return code:0 (ok), and the final OK Gpop ready. If you get them then you can connect to GMail.

Now let’s create the Equifax_secure_CA.pem file:

nano /etc/ssl/certs/Equifax_Secure_CA.pem

Paste the following certification lines:

-----BEGIN CERTIFICATE-----
MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV
UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy
dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1
MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx
dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f
BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A
cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC
AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm
aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw
ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj
IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF
MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA
A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y
7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh
1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4
-----END CERTIFICATE-----

Save and exit.

In order to add the Equifax certificating authority (which certifies emails from Gmail) into the certificate file that postfix uses, run the following command in a root console:

cat /etc/ssl/certs/Equifax_Secure_CA.pem > /etc/postfix/cacert.pem

5 - Finally, restart postfix to apply the changes:

/etc/init.d/postfix restart

6 - You can verify the performance by opening two consoles. You should execute the following command in one console to monitor the behavior of the mail:

tail -f /var/log/mail.log

You can send an email through the other one:

echo "Hello" | mail [email protected]

You also may need to change the settings under your gmail account (under the “devices” tab) to receive the e-mail. You can also turn on access for less secure apps and read more about it from here: https://www.google.com/settings/security/lesssecureapps

If you have done everything right, something like that should appear in the other console:

Dec 18 18:33:40 OKComputer postfix/pickup[10945]: 75D4A243BD: uid=0 from=
Dec 18 18:33:40 OKComputer postfix/cleanup[10951]: 75D4A243BD: message-id=
Dec 18 18:33:40 OKComputer postfix/qmgr[10946]: 75D4A243BD: from=, size=403, nrcpt=1 (queue active)
Dec 18 18:33:44 OKComputer postfix/smtp[10953]: 75D4A243BD: [email protected], relay=smtp.gmail.com[74.125.93.109]:587, delay=3.7,  delays=0.15/0.14/1.8/1.6, dsn=2.0.0, status=sent (250 2.0.0 OK 1324249500 eb5sm36008464qab.10)
Dec 18 18:33:44 OKComputer postfix/qmgr[10946]: 75D4A243BD: removed

If the result is similar, Pandora is properly configured and linked to the Postfix server, so it will send mails as expected.

    • Special Notes: Communicating with gmail can be tricky and I ran into a problem where the maillog indicated "Network is unreachable" - this required me to edit the connection protocol for Postfix to communication with the gmail smtp server, as follows:
 sudo nano /etc/postfix/main.cf
 Find the line that says, "inet_protocols = all" and change to "inet_protocols = ipv4"
 then
 sudo /etc/init.d/postfix restart to restart Postfix.