Difference between revisions of "Pandora: Configuration emails alerts"

From Pandora FMS Wiki
Jump to: navigation, search
(Postfix Setup)
(Postfix Configuration)
 
(19 intermediate revisions by 7 users not shown)
Line 1: Line 1:
= Quick email setup guide for alerts in Pandora FMS =
+
= Quick email setup guide for alerts on Pandora FMS =
  
== Email configuration with a Gmail account ==
+
== Email configuration using a Gmail account ==
  
 
In order to configure Pandora FMS to send alerts via Gmail, Pandora and Postfix must be configured this way:
 
In order to configure Pandora FMS to send alerts via Gmail, Pandora and Postfix must be configured this way:
 
   
 
   
=== Pandora's Configuration ===
+
=== Pandora Configuration ===
  
In order to properly configure your email with a Gmail account, all the fields must have the following comments in the Pandora FMS server configuration file (/etc/pandora/pandora_server.conf) except the mta_address field, which will be configured with the IP server or localhost (where the postfixserver is installed).
+
In order to properly configure your email delivery with a Gmail account, all the fields must have the following comments in the Pandora FMS server configuration file (/etc/pandora/pandora_server.conf) except the mta_address field, which will be configured with the IP server or localhost (where the postfix server is installed).
  
If Postfix is installed in the same server than Pandora FMS, the configuration in the pandora_server.conf would be like this:
+
If Postfix is installed on the same server as Pandora FMS, the configuration in the pandora_server.conf file should look like this:
  
 
  mta_address localhost  
 
  mta_address localhost  
Line 19: Line 19:
  
  
Now, I would like to show you briefly how to configure an alert in the Pandora FMS console.  
+
Let's look briefly at how to configure an alert on the Pandora FMS console.  
  
 
==== Action Setup ====
 
==== Action Setup ====
  
To set the mail recipient, use the mail action to XXX so you can add an email recipient to which all the mail alerts will be sent.
+
To set the mail recipient, use the 'mail action to XXX' so you can add an email recipient to which all the mail alerts will be sent.
  
 
<center>
 
<center>
<br>
 
 
[[Image:GMAIL1.png|800px]]
 
[[Image:GMAIL1.png|800px]]
<br>
 
 
</center>
 
</center>
  
 
==== Alert setup ====
 
==== Alert setup ====
  
In this case, the module configuration has been generated in the module configuration> Alerts, a new alert with the module as the one that you can see in the screenshot below.
+
In this case, the module configuration has been generated in the module configuration> Alerts file, a new alert with the module like the one that can be seen on the screenshot below.
  
 
<center>
 
<center>
<br>
 
 
[[Image:GMAIL2.png|800px]]
 
[[Image:GMAIL2.png|800px]]
<br>
 
 
</center>
 
</center>
  
Once the alert is fired, you can see how the alert reaches the e-mail picked in the action:  
+
Once the alert is triggered, you can see how the alert reaches the e-mail address assigned to the action:  
  
 
<center>
 
<center>
<br>
 
 
[[Image:GMAIL3.png|800px]]
 
[[Image:GMAIL3.png|800px]]
<br>
 
 
</center>
 
</center>
 +
 
<center>
 
<center>
<br>
 
 
[[Image:GMAIL4.png|800px]]
 
[[Image:GMAIL4.png|800px]]
<br>
 
 
</center>
 
</center>
  
=== Postfix Setup ===
+
=== Postfix Installation ===
 +
 
 +
The following packages must be installed in Pandora server for postfix server to work properly together with a GMAIL account.
 +
 
 +
yum install postfix mailx cyrus-sasl-plain cyrus-sasl cyrus-sasl-lib cyrus-sasl-md5 cyrus-sasl-scram cyrus-sasl-gssapi
 +
 
 +
=== Postfix Configuration ===
  
Assuming you already installed Postfix and everything works fine except sending to gmail smtps, here are the steps to follow:
+
Once Postfix has been installed within the server and everything works properly, except for sending emails through Gmail, follow these steps:
  
1-- Edit the /etc/postfix/main.cf configuration file and add the following lines at the end of the file:
+
1-- Check that the "less secure pass" option is enabled in your Gmail account. It can be enabled through this link.(https://myaccount.google.com/lesssecureapps)
  
 +
2-- Edit the /etc/postfix/main.cf file and add the following lines at the end of said file:
 +
 +
myhostname = <hostname> #Add here server hostname
 
  relayhost = [smtp.gmail.com]:587
 
  relayhost = [smtp.gmail.com]:587
 
  smtp_sasl_auth_enable = yes
 
  smtp_sasl_auth_enable = yes
  smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
+
  smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
 +
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
 
  smtp_sasl_security_options = noanonymous
 
  smtp_sasl_security_options = noanonymous
 
  smtp_use_tls = yes
 
  smtp_use_tls = yes
  smtp_tls_CAfile = /etc/postfix/cacert.pem
+
  smtp_tls_CAfile = /etc/pki/tls/cert.pem
 +
smtp_tls_security_level = encrypt
 +
  
2-- Create the /etc/postfix/sasl/passwd file with your gmail address and password (you must create the “sasl” directory and then create the passwd file in there).
+
3-- Create the /etc/postfix/sasl_passwd file with its corresponding Gmail address and password.
  
To create the “sasl” directory use command:
+
nano /etc/postfix/sasl_passwd
  
mkdir /etc/postfix/sasl
+
Add the following line with the Gmail address and password to the file:
 
 
To create the passwd file, use this command:
 
 
 
nano /etc/postfix/sasl/passwd
 
 
 
And paste the line below with your own gmail address and password inserted:
 
  
 
  [smtp.gmail.com]:587 [email protected]:PASSWORD
 
  [smtp.gmail.com]:587 [email protected]:PASSWORD
  
Protect it accordingly:
+
Secure it accordingly:
 
 
chmod 600 /etc/postfix/sasl/passwd
 
 
 
This will allow only root users to access the file.
 
 
 
3-- Transform /etc/postfix/sasl/passwd into a hash type indexed file using the following command. This will create a lookup table via postmap:
 
 
 
postmap /etc/postfix/sasl/passwd
 
 
 
Issuing this command will create a passwd.db file.
 
 
 
4-- The next part is for installing Gmail and Equifax certificate. Pre-built Pandora FMS ISO and VMware virtual image do not have these certificates by default. If you have the certificates installed, then you can skip this part.
 
  
To install the Gmail certificate, follow these steps:
+
chmod 600 /etc/postfix/sasl_passwd
 +
chown root:root /etc/postfix/sasl_passwd
  
Google’s SSL cert is signed by Equifax – so first we need to fetch that.
+
4-- Create the /etc/postfix/tls_policy file with the following information:
Move to “tls” directory:
 
cd /etc/pki/tls/
 
  
We need to download Equifax certificate. First, enter this command:
+
  nano /etc/postfix/tls_policy
  sudo wget -O Equifax_Secure_Certificate_Authority.pem https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer
 
  
Now let’s add the permissions to the downloaded file:
+
  [smtp.gmail.com]:587 encrypt
  chmod 644 Equifax_Secure_Certificate_Authority.pem
 
  
We also need to request the sign for the certificate:
+
Secure it accordingly:
openssl x509 -in Equifax_Secure_Certificate_Authority.pem -fingerprint -subject -issuer -serial -hash -noout
 
  
Next we need need to install the GMail cert. The first thing we need is the c_rehash util, so lets install its package:
+
  chmod 600 /etc/postfix/tls_policy
  yum install openssl-perl
+
  chown root:root /etc/postfix/tls_policy
  
Please note that this did not go so well for me on the ISO or VMware image install.  At this point I took the following additional steps
 
  sudo su
 
  nano /etc/yum.repos.d/extra_repos.repo
 
  In the #percona repository I changed the baseurl line to:  http://repo.percona.com/centos/6/os/x86_64/
 
  ^O to write the edited file
 
  ^x to exit
 
  After returning to root terminal, enter "yum install openssl-perl" and accept the defaults
 
  
Next we need to actually acquire the certificate for GMail.  So use openssl to do this:
+
5-- Turn /etc/postfix/sasl_passwd and /etc/postfix/tls_policy into a hash-type indexed file through this command:
openssl s_client -connect pop.gmail.com:995 -showcerts
 
  
The output should contain the required lines for the certificate and we need to copy them to /etc/pki/tls/gmail.pem file. For this, create the file:
+
postmap /etc/postfix/sasl_passwd && postmap /etc/postfix/tls_policy
nano /etc/pki/tls/gmail.pem
 
  
and paste these lines to the gmail.pem file:
+
It will create the /etc/postfix/sasl_passwd.db and /etc/postfix/tls_policy.db files.
-----BEGIN CERTIFICATE-----
 
MIIDWjCCAsOgAwIBAgIKYgy3qQADAAAJ5zANBgkqhkiG9w0BAQUFADBGMQswCQYD
 
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
 
dGVybmV0IEF1dGhvcml0eTAeFw0wOTA3MTcxNzE2NTVaFw0xMDA3MTcxNzI2NTVa
 
MGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
 
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRYwFAYDVQQDEw1wb3Au
 
Z21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTHqjJfnRXdpmZ
 
4iP/WNCpvzX4N97bEZ3rvS4aDYey/DJetKZqp9DK1Ie4/C5j8M1aakwiTNA/eHS/
 
wNWVgQx8+HxproYKUeeYj3shYKEkHGfrRYBcyCxc7Gd6NSGaaYru3Z7nJ+STIPUJ
 
E1N35JAwcjjdITVI2O4LckAL4b7GkwIDAQABo4IBLDCCASgwHQYDVR0OBBYEFIln
 
0T5I8Mw6cqhtUS4pyMGYRxOTMB8GA1UdIwQYMBaAFL/AMOv1QxE+Z7qekfv8atrj
 
axIkMFsGA1UdHwRUMFIwUKBOoEyGSmh0dHA6Ly93d3cuZ3N0YXRpYy5jb20vR29v
 
Z2xlSW50ZXJuZXRBdXRob3JpdHkvR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkuY3Js
 
MGYGCCsGAQUFBwEBBFowWDBWBggrBgEFBQcwAoZKaHR0cDovL3d3dy5nc3RhdGlj
 
LmNvbS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS9Hb29nbGVJbnRlcm5ldEF1dGhv
 
cml0eS5jcnQwIQYJKwYBBAGCNxQCBBQeEgBXAGUAYgBTAGUAcgB2AGUAcjANBgkq
 
hkiG9w0BAQUFAAOBgQCEGIebkDpktdjtzMiTTmEiN7e4vc73hEI4K0jYKyY0Wn5N
 
dc44AXTfIWOzsikwb886PCUSevGs9rcw2/kaHdPaBSuGrzSCf8ODQqTC3odry3lo
 
PtZGr6nf/81F5UW71+bE1iWOQlJ5/olWOr2SlqYla1iOmosEctD/GyoFnDh+BA==
 
-----END CERTIFICATE-----
 
  
Next we need to run the c_rehash util:
 
cd /etc/pki/tls
 
and
 
c_rehash .
 
  
Finally, we can test it with:
+
6-- Finally, restart postfix to apply the modifications as it follows:
openssl s_client -connect pop.gmail.com:995 -CApath /etc/pki/tls
 
 
 
The important bits are the Verify return code:0 (ok), and the final OK Gpop ready.  If you get them then you can connect to GMail.
 
 
 
Now let’s create the Equifax_secure_CA.pem file:
 
nano /etc/ssl/certs/Equifax_Secure_CA.pem
 
 
 
Paste the following certification lines:
 
-----BEGIN CERTIFICATE-----
 
MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV
 
UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy
 
dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1
 
MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx
 
dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B
 
AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f
 
BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A
 
cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC
 
AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ
 
MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm
 
aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw
 
ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj
 
IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF
 
MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA
 
A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y
 
7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh
 
1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4
 
-----END CERTIFICATE-----
 
 
 
Save and exit.
 
 
 
In order to add the Equifax certificating authority (which certifies emails from Gmail) into the certificate file that postfix uses, run the following command in a root console:
 
cat /etc/ssl/certs/Equifax_Secure_CA.pem > /etc/postfix/cacert.pem
 
 
 
5 - Finally, restart postfix to apply the changes:
 
  
 
  /etc/init.d/postfix restart
 
  /etc/init.d/postfix restart
  
6 - You can verify the performance by opening two consoles. You should execute the following command in one of them to monitor the behavior of the mail:
+
7-- The performance can be checked by logging in two consoles. Execute the following command to monitor mail performance:
 
 
tail -f /var/log/mail.log
 
  
You can send an email through the other one:
+
tail -f /var/log/maillog
  
echo "Hello!" | mail your-email[email protected]
+
The other one will send an email:
  
You also may need to change the settings under your gmail account (under the “devices” tab) to receive the e-mail. You can also turn on access for less secure apps and read more about it from here:
+
echo "Mail test" | mail [email protected]gmail.com
https://www.google.com/settings/security/lesssecureapps
 
  
If you have done everything right, something like that should appear in the other console:
+
If the preceding steps have been carried out correctly, the other console should show something like this:
  
 
  Dec 18 18:33:40 OKComputer postfix/pickup[10945]: 75D4A243BD: uid=0 from=
 
  Dec 18 18:33:40 OKComputer postfix/pickup[10945]: 75D4A243BD: uid=0 from=
Line 211: Line 124:
 
  Dec 18 18:33:44 OKComputer postfix/qmgr[10946]: 75D4A243BD: removed
 
  Dec 18 18:33:44 OKComputer postfix/qmgr[10946]: 75D4A243BD: removed
  
If the result is similar, Pandora is properly configured and linked to the Postfix server, so it will send mails as expected.
+
If this is the result, Pandora will point to the Postfix server to send emails and they will be successfully sent.
  
 
[[Category:Pandora FMS]]
 
[[Category:Pandora FMS]]

Latest revision as of 10:31, 25 June 2019

1 Quick email setup guide for alerts on Pandora FMS

1.1 Email configuration using a Gmail account

In order to configure Pandora FMS to send alerts via Gmail, Pandora and Postfix must be configured this way:

1.1.1 Pandora Configuration

In order to properly configure your email delivery with a Gmail account, all the fields must have the following comments in the Pandora FMS server configuration file (/etc/pandora/pandora_server.conf) except the mta_address field, which will be configured with the IP server or localhost (where the postfix server is installed).

If Postfix is installed on the same server as Pandora FMS, the configuration in the pandora_server.conf file should look like this:

mta_address localhost 
#mta_port 25
#mta_user [email protected]
#mta_pass mypassword
#mta_auth LOGIN
#mta_from Pandora FMS <[email protected]>


Let's look briefly at how to configure an alert on the Pandora FMS console.

1.1.1.1 Action Setup

To set the mail recipient, use the 'mail action to XXX' so you can add an email recipient to which all the mail alerts will be sent.

GMAIL1.png

1.1.1.2 Alert setup

In this case, the module configuration has been generated in the module configuration> Alerts file, a new alert with the module like the one that can be seen on the screenshot below.

GMAIL2.png

Once the alert is triggered, you can see how the alert reaches the e-mail address assigned to the action:

GMAIL3.png

GMAIL4.png

1.1.2 Postfix Installation

The following packages must be installed in Pandora server for postfix server to work properly together with a GMAIL account.

yum install postfix mailx cyrus-sasl-plain cyrus-sasl cyrus-sasl-lib cyrus-sasl-md5 cyrus-sasl-scram cyrus-sasl-gssapi

1.1.3 Postfix Configuration

Once Postfix has been installed within the server and everything works properly, except for sending emails through Gmail, follow these steps:

1-- Check that the "less secure pass" option is enabled in your Gmail account. It can be enabled through this link.(https://myaccount.google.com/lesssecureapps)

2-- Edit the /etc/postfix/main.cf file and add the following lines at the end of said file:

myhostname = <hostname> #Add here server hostname
relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_sasl_security_options = noanonymous
smtp_use_tls = yes
smtp_tls_CAfile = /etc/pki/tls/cert.pem
smtp_tls_security_level = encrypt

3-- Create the /etc/postfix/sasl_passwd file with its corresponding Gmail address and password.

nano /etc/postfix/sasl_passwd

Add the following line with the Gmail address and password to the file:

[smtp.gmail.com]:587 [email protected]:PASSWORD

Secure it accordingly:

chmod 600 /etc/postfix/sasl_passwd
chown root:root /etc/postfix/sasl_passwd

4-- Create the /etc/postfix/tls_policy file with the following information:

nano /etc/postfix/tls_policy
[smtp.gmail.com]:587 encrypt

Secure it accordingly:

chmod 600 /etc/postfix/tls_policy
chown root:root /etc/postfix/tls_policy


5-- Turn /etc/postfix/sasl_passwd and /etc/postfix/tls_policy into a hash-type indexed file through this command:

postmap /etc/postfix/sasl_passwd && postmap /etc/postfix/tls_policy

It will create the /etc/postfix/sasl_passwd.db and /etc/postfix/tls_policy.db files.


6-- Finally, restart postfix to apply the modifications as it follows:

/etc/init.d/postfix restart

7-- The performance can be checked by logging in two consoles. Execute the following command to monitor mail performance:

tail -f /var/log/maillog

The other one will send an email:

echo "Mail test" | mail [email protected]

If the preceding steps have been carried out correctly, the other console should show something like this:

Dec 18 18:33:40 OKComputer postfix/pickup[10945]: 75D4A243BD: uid=0 from=
Dec 18 18:33:40 OKComputer postfix/cleanup[10951]: 75D4A243BD: message-id=
Dec 18 18:33:40 OKComputer postfix/qmgr[10946]: 75D4A243BD: from=, size=403, nrcpt=1 (queue active)
Dec 18 18:33:44 OKComputer postfix/smtp[10953]: 75D4A243BD: [email protected], relay=smtp.gmail.com[74.125.93.109]:587, delay=3.7,  delays=0.15/0.14/1.8/1.6, dsn=2.0.0, status=sent (250 2.0.0 OK 1324249500 eb5sm36008464qab.10)
Dec 18 18:33:44 OKComputer postfix/qmgr[10946]: 75D4A243BD: removed

If this is the result, Pandora will point to the Postfix server to send emails and they will be successfully sent.