Administration Guides

Custom email routing by application or alarm subject contents



This solution guide explains how to configure custom email routing of specific alarms or notifications within Eyeglass.  This is most commonly used for Easy Auditor or Ransomware Defender to route email notifications to a specific email or group distribution email.  This also ensures other system level alarms are not sent to these emails.    The steps below explain how to setup postfix email routing options.  It is also possible to drop emails silently but the alarm is still visible in the GUI Alarms Icon.

How to switch to Eyeglass mail routing based on postfix OS SMTP Relay

  1. Most Eyeglass deployments use Notification center to enter SMTP details of your mail server. These steps will switch to a local SMTP engine in the operating system.
    1. Requirements:
      1. This example assumes you are using anonymous non authenticated SMTP.
      2. If using authenticated SMTP contact support on how to configure postfix.
    2. Steps
      1. Setup Eyeglass OS SMTP to Send mail to your mail server
        1. ssh to Eyeglass as admin
        2. sudo -s (enter admin password)
        3. Edit the postfix setting: nano /etc/postfix/
        4. control+w to search for the word relayhost , to locate the correct instance without a comment.  To find the line that is not commented (no # at the front of the line).  You will need to press control+w  8 times to find the very last occurence.
        5. Edit the relayhost parameter (NOTE: leave the square brackets are required as per example below)
          1. relayhost = [DNS or ip of your SMTP mail server]
        6. control+x  answer y and enter to save and exit
        7. Restart postfix service
          1. systemctl restart postfix
          2. Checked that postfix service is running: systemctl status postfix
      2. Eyeglass - Switch to use postfix SMTP local OS mail relay service

        1. From Eyeglass UI => Notification Center => Configure SMTP => Outgoing Email Server Information
        2. Host Name change to: localhost
        3. Port should stay set to: 25
        4. From  email can stay the same or change: [any e-mail address] e.g. eyeglass@<your domain>
        5. Specify test e-mail recipient and click TEST E-mail Setting. Expect to receive test e-mail successfully.
        6. Do not proceed until this step is successful with a test email being received
      3. Adding Filtering Rules Files to Postfix

        1. This requires adding rules for filtering and forwarding emails based on the subject of the alert email or the body.  These are provided as common examples below.
        2. login as admin user over ssh
        3. sudo -s (enter admin password to become root user)
        4. Run these commands to enable content filtering on both subject of emails and the body of emails.  Execute the commands in this order for certain order based filtering.
          1. postconf -e "body_checks = regexp:/etc/postfix/body_checks"
          2. cp /etc/postfix/header_checks /etc/postfix/body_checks​  (Create the filter file so that it exists,  NOTE: If only subject filtering is needed no changes are needed to this file)  
          3. postconf -e "header_checks = regexp:/etc/postfix/header_checks"
        5. How to Edit the Rules files (header_checks and body_checks)​​
          1. Now edit the filter rules files and add the filters using the examples below
            1. Type the command below to edit email subject filter file
            2. nano /etc/postfix/header_checks   (this file for email subject line filtering)
          2. Optional Step for email body content filtering
            1. Type the command below to edit email body filter file
            2. nano /etc/postfix/body_checks   (only edit the file  if you need content filtering rules, see examples below)
          3. Under line 1 hit enter a few times to make space to add filters.  Note: you can add more than one filter with different emails and conditions.
            1. Each rule must be on its own line.
            2. Rules are processed in the order  listed in the file and the first match will exit the filtering logic
            3. Contact support for more specific examples.
            4. The syntax uses regex syntax when creating filters and actions.  A full list is defined here on the postfix main pages
      4. Example 1: Send Ransomware Alarms to a specific email (person or group email):

        1. The example will send all Ransomware alerts to an email regardless configured in the filter. NOTE: this will match the string in bold and will send to a different email address.  This also means that alarms for this product will not be sent to the Eyeglass administrator.
        2. / Ransomware Defender / REDIRECT
        3. control+x answer y and the enter key to save and exit
      5. Example 2: Send Only alarms when a user is locked out  by Ransomware Defender to a specific email (person or group email) but will not be sent to the Eyeglass admin defined to receive all alarms

        1. /^Subject: .*Locked/ REDIRECT 
        2. control+x answer y and the enter key to save and exit
      6. Example 3: Send Easy Auditor Reports to a specific user or group email , note only this user or group will receive report emails

        1. /^Subject: Easy Auditor Report/ REDIRECT
        2. control+x answer y and the enter key to save and exit
      7. Example 4: Drop all Easy Auditor Report emails

        1.  /^Subject: Easy Auditor Report/ DISCARD
        2. control+x answer y and the enter key to save and exit
      8. Example 5: Send Easy Auditor Triggers to a specific email OR send a specific search report to a specific user

        1. If you want to send a custom trigger or a saved report to a specific user email or group email, you first need the saved report name or the trigger name.
        2. Get trigger names.  We recommend using the word trigger in all triggers and then a name after to make matching alerts easier.  Alerts will include the trigger name in the body of email. 
        3. For a content filter you must add the rule to the body_check file.  See 3 different examples below.
        4. /trigger/ REDIRECT  (sends all triggers with the name trigger in the name)
        5. /trigger policy 1/ REDIRECT (sends all triggers with a specific name of a trigger in this example the trigger name is "trigger policy 1")
        6. /departmentXReport/ REDIRECT (sends all Easy Auditor report results with a saved report run manually or on a schedule with a name of "departmentXReport")

      9. Example 6: Email content filter for security guard user lockout to drop the alert email

        1. For a content filter you must add the rule to the body_check file
        2. Add the user name (without the domain) to search for lockout alerts with this user name and drop the email from being forwarded.  example user below is supernaSG.svc appears in alerts with lockout alert based on the security guard schedule.   Combine this example with example #2.  
        3. /supernaSG.svc/ DISCARD
        4. control+x answer y and the enter key to save and exit
      10.  Mandatory Step - Activate Filtering Rules for subject or body of emails 

        1. Reload the rule set to take effect and restart postfix process
          1. postfix reload
          2. systemctl restart postfix
  2. Test your new forwarding rule

    1. The examples that use Easy Auditor reports or Ransomware Defender can be tested using Security Guard and Robot Audit run now option to trigger a new alarm.
    2. To verify your rule worked you can tail the mail routing log to see the rule rewrite the original email recipient with new email address.
    3. tail -f -n 100 /var/log/mail    (this command will monitor the mail log during the test)
    4. or you can search the log
    5. grep orig_to /var/log/mail*  (this will locate all entries that the redirect rule triggered and shows the original email and new email used)
    6. Done
Copyright Superna LLC