Administration Guides

Custom email routing by application or alarm subject contents

Home


Overview

This solution guide explains how to configure custom email routing of specific alarms or notifications within Eyeglass.  This is most commonly used for Easy Auditor or Ransomware Defender to route email notifications to a specific email or group distribution email.  This also ensures other system level alarms are not sent to these emails.    The steps below explain how to setup postfix email routing options.  It is also possible to drop emails silently but the alarm is still visible in the GUI Alarms Icon.


How to switch to Eyeglass mail routing based on postfix OS SMTP Relay

  1. Most Eyeglass deployments use Notification center to enter SMTP details of your mail server. These steps will switch to a local SMTP engine in the operating system.
    1. Requirements:
      1. This example assumes you are using anonymous non authenticated SMTP over port 25.
      2. The advanced section below covers authentication + TLS configuration
    2. Steps
      1. Setup Eyeglass OS SMTP to Send mail to your mail server
        1. ssh to Eyeglass as admin
        2. sudo -s (enter admin password)
        3. Edit the postfix setting: nano /etc/postfix/main.cf
        4. control+w to search for the word relayhost , to locate the correct instance without a comment.  To find the line that is not commented (no # at the front of the line).  You will need to press control+w [enter], repeat this 8 times to find the very last occurrence of relayhost that does not have the # comment infront of the line.
        5. Edit the relayhost parameter (NOTE: leave the square brackets are required as per example below)
          1. relayhost = [DNS or ip of your SMTP mail server]:25   (leave the square brackets)
        6. control+x  answer y and enter to save and exit
        7. Restart postfix service
          1. systemctl restart postfix
          2. Checked that postfix service is running: systemctl status postfix
      2. Eyeglass - Switch to use postfix SMTP local OS mail relay service no Authentication

        1. From Eyeglass UI => Notification Center => Configure SMTP => Outgoing Email Server Information
        2. Host Name change to: localhost
        3. Port should stay set to: 25
        4. From  email can stay the same or change: [any e-mail address] e.g. eyeglass@<your domain>
        5. Specify test e-mail recipient and click TEST E-mail Setting. Expect to receive test e-mail successfully.
        6. Do not proceed until this step is successful with a test email being received.
        7. For Advanced email configuration with authentication and TLS cipher control.
      3. Adding Filtering Rules Files to Postfix

        1. This requires adding rules for filtering and forwarding emails based on the subject of the alert email or the body.  These are provided as common examples below.
        2. login as admin user over ssh
        3. sudo -s (enter admin password to become root user)
        4. Preparing Configuration files for Content Filtering Rules (Mandatory Step)
          1. Run these commands to enable content filtering on both subject of emails and the body of emails.  
          2. postconf -e "body_checks = regexp:/etc/postfix/body_checks"
          3. cp /etc/postfix/header_checks /etc/postfix/body_checks​
          4. postconf -e "header_checks = regexp:/etc/postfix/header_checks"
        5. How to Edit the Rules files for email header_checks and for email body_checks
          1. Type the command below to edit email subject filter file
            1. nano /etc/postfix/header_checks   (Use this file for email subject line filtering)
            2. nano /etc/postfix/body_checks   (only edit the file  if you need content filtering rules)
          2. Requirements for email Filtering Rules
            1. Under line 1 hit enter a few times to make space to add filters.  Note: you can add more than one filter with different emails and conditions
            2. Each rule must be on its own line.
            3. Rules are processed in the order listed in the file and the first match will exit the filtering logic.
            4. The syntax uses regex syntax when creating filters and actions.  A full list is defined here on the postfix man pages
      4. Example 1: Send All Ransomware Alarms to a specific email (person or group email) AND Discarding Or Redirecting Security Guard daily Self Test Emails:

        1. The example will send all Ransomware alarms to a specific email regardless of the configured Notification center alarm configuration and allow discarding or redirecting Security Guard test emails.  This example requires body content matching.
          1. NOTE: this will match the string in bold and will send to a different email address.
          2. This also means that alarms for this product will not be sent to the Eyeglass administrator.
          3. Security Guard emails will be discarded or forwarded 
          4. Example assumes Security Guard Cluster user name is "igls-sg," change this value depending on the name of the Security Guard user configured in Ransomware Defender.
        2. Discard Security Guard and Forward all other Ransomware Alarms to an specific email
          1. nano /etc/postfix/body_checks    (place each value below on it's own line the order matters to correctly discard first)
            1. /igls-sg/ DISCARD               
            2. /Ransomware Defender/ REDIRECT customer_email@domain.com
        3. OR to Forward Security Guard emails to email A and forward All other Ransomware Alarms to Email B
          1. nano /etc/postfix/body_checks    (place each value below on it's own line)
            1. /igls-sg/ REDIRECT customer_email_A@domain.com               
            2. /Ransomware Defender/ REDIRECT customer_email_B@domain.com
        4. control+x answer y and the enter key to save and exit
      5. Example 2: Send Only alarms when a user is locked out by Ransomware Defender to a specific email (person or group email) but will not be sent to the Eyeglass admin defined to receive all alarms

        1. nano /etc/postfix/header_checks (this file for email subject line filtering)
        2. /^Subject: .*Locked/ REDIRECT xxxx@domain.name 
        3. control+x answer y and the enter key to save and exit
      6. Example 3: Send Easy Auditor Reports to a specific user or group email , note only this user or group will receive report emails

        1. nano /etc/postfix/header_checks (this file for email subject line filtering)
        2. /^Subject: Easy Auditor Report/ REDIRECT xxxx@domain.name
        3. control+x answer y and the enter key to save and exit
      7. Example 4: Drop all Easy Auditor Report emails

        1. nano /etc/postfix/header_checks (this file for email subject line filtering) 
        2. /^Subject: Easy Auditor Report/ DISCARD
        3. control+x answer y and the enter key to save and exit
      8. Example 5: Send Easy Auditor Triggers to a specific email OR send a specific search report to a specific user

        1. If you want to send a custom trigger or a saved report to a specific user email or group email, you first need the saved report name or the trigger name.
        2. Get trigger names.  We recommend using the word trigger in all triggers and then a name after to make matching alerts easier.  Alerts will include the trigger name in the body of email. 
          1.  
          2.  
        3. For a content filter you must add the rule to the body_check file.  See 3 different examples below.
        4. nano /etc/postfix/body_checks (only edit the file if you need content filtering rules, see examples below) 
          1. /trigger/ REDIRECT xxxx@domain.name  (sends all triggers with the name trigger in the name)
          2. /trigger policy 1/ REDIRECT xxxx@domain.name (sends all triggers with a specific name of a trigger in this example the trigger name is "trigger policy 1")
          3. /departmentXReport/ REDIRECT xxxx@domain.name (sends all Easy Auditor report results with a saved report run manually or on a schedule with a name of "departmentXReport")

      9.  Mandatory Step - Activate Filtering Rules for subject or body of emails 

        1. Reload the rule set to take effect and restart postfix process
          1. postfix reload
          2. systemctl restart postfix
  2. How to Test your new forwarding rule

    1. The examples that use Easy Auditor reports or Ransomware Defender can be tested using Security Guard and Robot Audit run now option to trigger a new alarm.
    2. To verify your rule worked you can tail the mail routing log to see the rule rewrite the original email recipient with new email address.
    3. tail -f -n 100 /var/log/mail    (this command will monitor the mail log during the test)
    4. or you can search the log
    5. grep orig_to /var/log/mail*  (this will locate all entries that the redirect rule triggered and shows the original email and new email used)
    6. Done


Advanced Postfix Configuration For SMTP Authentication and TLS Configuration

  1. This section allows configuration of authentication to your mail system and control of TLS options.
  2. NOTE:  Authentication + TLS is the only supported configuration.
  3. NOTE: This assumes you have configured the relay and basic settings in the section above for switching to postfix MTA.
  4. ssh as admin user
  5. switch to root
    1. sudo -s (enter admin password)
  6. Fix the host file to provide a host name for localhost used by postfix mail relay
    1. nano /etc/hosts file, add the Eyeglass hostname fqdn in the localhost section. example:
      127.0.0.1 localhost igls01 igls01.ad1.test
  7. Edit the postfix setting for Authentication.
    1. nano /etc/postfix/main.cf
    2. Verify the relayhost parameter is set already following steps in the basic configuration section above and change the port to use the TLS port.  control-w type relayhost [enter] and repeat 8 times to find the correct entry.
      1. relayhost = [x.x.x.x]:587   (leave the square brackets)
      2. Replace x.x.x.x with your mail relay host IP or FQDN
    3. Configure Authentication
      1. edit the following parameters for TLS
      2. nano /etc/postfix/main.cf   
        1. press control+w  enter sasl [enter] to locate the section for authentication configuration.  Set the settings as per below 
      3. smtp_sasl_auth_enable = yes
      4. smtp_sasl_security_options = noanonymous
      5. smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
      6. smtpd_sasl_auth_enable = no
      7. Create the password file  /etc/postfix/sasl_passwd  replace the yellow values to match your environment before creating the file.
        1. nano /etc/postfix/sasl_passwd     (enter the line below and change the yellow highlights to match your environment.
        2. [x.x.x.x]:587 user:password
          1. x.x.x.x is replaced with the ip address or host name of your mail relay host
          2. This assumes port 587 is used on your mail relay host which is the default TLS SMTP port. Change the port to match your mail server.
          3. User is the user name for authentication.  Example user@domain.com
          4. Password is the password for this service account user.
        3. Convert /etc/postfix/sasl_passwd into a format that Postfix can read and remove clear text password file:
          1. postmap /etc/postfix/sasl_passwd
          2. This creates a file /etc/postfix/sasl_passwd.db 
          3. You can now delete or remove the clear text password in the  /etc/postfix/sasl_passwd
          4. rm /etc/postfix/sasl_passwd  (removes clear text password file, since it is not used by postfix.  The DB file is used to read the user and password. 
        4. Secure the /etc/postfix/sasl_passwd.db file.
          1. The file must be owned by root, and no one else should have read access to that file
            1. chown root:root /etc/postfix/sasl_passwd.db 
            2. chmod 600  /etc/postfix/sasl_passwd.db 
        5. Restart postfix service
          1. systemctl restart postfix 
    4. TLS Configuration for Secure SMTP
      1. nano /etc/postfix/main.cf
      2. Control+w type tls [enter]
      3. Locate these sections and configure them to match
        1. smtp_use_tls = yes
        2. smtp_tls_loglevel = 1
      4. Done
    5. This configures authenticated TLS SMTP relay.  Continue with the steps below to debug and test the mail is correctly forwarding from Eyeglass to your SMTP mail system.

How to Debug Postfix mail relay Issues

  1. Verify the mail is correctly being forwarded with authentication by tailing the mail log.
    1. tail -f /var/log/mail
  2. Open the Notification Center Icon in Eyeglass from the main menu options, and send a test email to verify authentication and TLS connections are successful.
  3. Example of a successful TLS SMTP message relay from Eyeglass to external SMTP host with TLS 1.2 enabled.  the 250 OK code indicates successful delivery.  The SMTP error or TLS errors will be visible in this log for debugging.
    1.  
  1. Check for any queued mail that failed
    1. sudo mailq
    2. any queued mail that failed will be listed with a reason code
    3. To reattempt delivery of the mail use the command below
    4. sudo postfix flush
  2. To provide support with configuration of your postfix configuration use this command
    1. postconf -n


© Superna LLC