Administration Guides

Custom email routing by application or alarm subject contents



This solution guide explains how to configure custom email routing of specific alarms or notifications within Eyeglass.  This is most commonly used for Easy Auditor or Ransomware Defender to route email notifications to a specific email or group distribution email.  This also ensures other system level alarms are not sent to these emails.    The steps below explain how to setup postfix email routing options.  It is also possible to drop emails silently but the alarm is still visible in the GUI Alarms Icon.

Limitations and Unsupported Configurations

  1. When a rule matches your criteria it will exit and no longer match any other rules listed in the configuration files.
  2. Redirection - Multiple emails on a rule or multiple rows with different emails is unsupported. Redirecting emails should always use a group email.
  3. If a configuration is NOT listed below is not supported. 


  1. Opensuse 15.3 OS Latest OS is recommended .

How to switch to Eyeglass mail routing based on postfix OS SMTP Relay

  1. Most Eyeglass deployments use Notification center to enter SMTP details of your mail server. These steps will switch to a local SMTP engine in the operating system.
    1. Requirements:
      1. This example assumes you are using anonymous non authenticated SMTP over port 25.
      2. The advanced section below covers authentication + TLS configuration
    2. Steps
      1. Setup Eyeglass OS SMTP to Send mail to your mail server
        1. ssh to Eyeglass as admin
        2. sudo -s (enter admin password)
        3. Edit the postfix setting: nano /etc/postfix/
        4. control+w to search for the word relayhost , to locate the correct instance without a comment.  To find the line that is not commented (no # at the front of the line).  You will need to press control+w [enter], repeat this 8 times to find the very last occurrence of relayhost that does not have the # comment in-front of the line.
        5. Edit the relayhost parameter (NOTE: leave the square brackets are required as per example below)
          1. relayhost = [DNS or ip of your SMTP mail server]:25   (leave the square brackets)
        6. To specify the from email address used on ALL outbound emails
          1. nano /etc/postfix/sender_canonical
          2.  On a new line add the source email entered into the Eyeglass GUI notification center from field and desired  outbound FROM email to be used on all emails. In the example below eyeglass@redacted.gz is the email entered into Eyeglass gui.
          3. eyeglass@redacted.gz eyeglass@quazar.redacted
          4. control+x  answer y and enter to save and exit
        7. Restart postfix service
          1. systemctl restart postfix
          2. Checked that postfix service is running: systemctl status postfix
      2. Eyeglass - Switch to use postfix SMTP local OS mail relay service no Authentication

        1. From Eyeglass UI => Notification Center => Configure SMTP => Outgoing Email Server Information
        2. Host Name change to: localhost
        3. Port should stay set to: 25
        4. From  email can stay the same or change: [any e-mail address] e.g. eyeglass@<your domain>
        5. Specify test e-mail recipient and click TEST E-mail Setting. Expect to receive test e-mail successfully.
        6. Do not proceed until this step is successful with a test email being received.
        7. For Advanced email configuration with authentication and TLS cipher control.
        8. Done - No further steps are required unless email redirect rules are needed.
      3. Adding Filtering and Forwarding Rules to Postfix

        1. This requires adding rules for filtering and forwarding emails based on the subject of the alert email or the body.  These are provided as common examples below.
        2. login as admin user over ssh
        3. sudo -s (enter admin password to become root user)
        4. Preparing Configuration files for Content Filtering Rules (Mandatory Step)
          1. Run these commands to enable content filtering on both subject of emails and the body of emails.  
            1. touch /etc/postfix/body_checks  
            2. touch /etc/postfix/header_checks  
            3. postconf -e "body_checks = regexp:/etc/postfix/body_checks"
            4. postconf -e "header_checks = regexp:/etc/postfix/header_checks"
        5. How to Edit the Rules files for email header_checks and for email body_checks
          1. This section explains which files to edit depending on how you want to filter or forward alarm or report emails.   See specific examples in the sections below that you can use for specific scenarios.
          2. Type the command below to edit email subject filter file
            1. nano /etc/postfix/header_checks   (Use this file for email subject line filtering)
            2. nano /etc/postfix/body_checks   (only edit this file if you need email content filtering rules)
          3. Requirements for email Filtering Rules
            1. Under line 1 hit enter a few times to make space to add filters.  Note: you can add more than one filter with different emails and conditions
            2. Each rule must be on its own line.
            3. Rules are processed in the order listed in the file and the first match will exit the filtering logic.
            4. The syntax uses regex syntax when creating filters and actions.  A full list is defined here on the postfix man pages
      4. Example 1: Send All Ransomware Alarms to a specific email (person or group email) AND Discarding Or Redirecting Security Guard daily Self Test Emails:

        1. The example will send all Ransomware alarms to a specific email regardless of the configured Notification center alarm configuration and allow discarding or redirecting Security Guard test emails.  This example requires body content matching.
          1. Prerequisite:   Switch Eyeglass to use post fix and add your mail server to the relayhost property.  See instructions above.
          2. NOTE: this will match the string in bold and will send to a different email address.
          3. This also means that alarms for this product will not be sent to the Eyeglass administrator.
          4. Security Guard emails will be discarded or forwarded 
          5. Example assumes Security Guard Cluster user name is "igls-sg," change this value depending on the name of the Security Guard user configured in Ransomware Defender.
        2. Discard Security Guard and Forward all other Ransomware Alarms to an specific email
          1. nano /etc/postfix/body_checks    (place each value below on it's own line the order matters to correctly discard first)
            1. /igls-sg/ DISCARD               
            2. /Ransomware Defender/ REDIRECT
        3. OR to Forward Security Guard emails to email A and forward All other Ransomware Alarms to Email B
          1. nano /etc/postfix/body_checks    (place each value below on it's own line)
            1. /igls-sg/ REDIRECT               
            2. /Ransomware Defender/ REDIRECT
        4. control+x answer y and the enter key to save and exit
        5. Continue to activate step 
      5. Example 2: Send Only alarms when a user is locked out by Ransomware Defender to a specific email (person or group email) but will not be sent to the Eyeglass admin defined to receive all alarms

        1. Prerequisite: Switch Eyeglass to use post fix and add your mail server to the relayhost property. See instructions above.
        2. nano /etc/postfix/header_checks (this file for email subject line filtering)
        3. /^Subject: .*Locked/ REDIRECT 
        4. control+x answer y and the enter key to save and exit
        5. Continue to activate step 
      6. Example 3: Send Easy Auditor Reports to a specific user or group email , note only this user or group will receive report emails

        1. Prerequisite: Switch Eyeglass to use post fix and add your mail server to the relayhost property. See instructions above.
        2. nano /etc/postfix/header_checks (this file for email subject line filtering)
        3. /^Subject: Easy Auditor Report/ REDIRECT
        4. control+x answer y and the enter key to save and exit
      7. Example 4: Drop all Easy Auditor Report emails

        1. Prerequisite: Switch Eyeglass to use post fix and add your mail server to the relayhost property. See instructions above.
        2. nano /etc/postfix/header_checks (this file for email subject line filtering) 
        3. /^Subject: Easy Auditor Report/ DISCARD
        4. control+x answer y and the enter key to save and exit
        5. Continue to activate step 
      8. Example 5: Send Easy Auditor Triggers to a specific email OR send a specific search report to a specific user

        1. Prerequisite: Switch Eyeglass to use post fix and add your mail server to the relayhost property. See instructions above.​
        2. If you want to send a custom trigger or a saved report to a specific user email or group email, you first need the saved report name or the trigger name.
        3. Get trigger names.  We recommend using the word trigger in all triggers and then a name after to make matching alerts easier.  Alerts will include the trigger name in the body of email. 
        4. For a content filter you must add the rule to the body_check file.  See 3 different examples below.
        5. nano /etc/postfix/body_checks (only edit the file if you need content filtering rules, see examples below) 
          1. /trigger/ REDIRECT  (sends all triggers with the name trigger in the name)
          2. /trigger policy 1/ REDIRECT (sends all triggers with a specific name of a trigger in this example the trigger name is "trigger policy 1")
          3. /departmentXReport/ REDIRECT (sends all Easy Auditor report results with a saved report run manually or on a schedule with a name of "departmentXReport")
      9.  Mandatory Step - Activate Filtering Rules for subject or body of email rules 

        1. Reload the rule set to take effect and restart postfix process
          1. postfix reload
          2. systemctl restart postfix
          3. done

How to edit Filter rules

  1. Each time you edit the filter files
    1. nano /etc/postfix/body_checks    (email body rules)
      1. OR
      2. nano /etc/postfix/header_checks (email header rules)
    2.  You must restart postfix before any changes will take effect.
    3. Activate filter rules

How to Test your new filter or forwarding rule

  1. The examples that use Easy Auditor reports or Ransomware Defender can be tested using Security Guard and Robot Audit run now option to trigger a new alarm.
  2. To verify your rule worked you can tail the mail routing log to see the rule rewrite the original email recipient with new email address.
  3. tail -f -n 100 /var/log/mail    (this command will monitor the mail log during the test)
  4. or you can search the log
  5. grep orig_to /var/log/mail*  (this will locate all entries that the redirect rule triggered and shows the original email and new email used)
  6. Example output shows to original email and the new to email as per below.
  7. Done

How to convert previous Opensuse OS postfix to Opensuse 15.3 or later Postfix format

  1. This procedure is for backup and restore of an appliance running 15.1 or 15.2 to a 15.3 or later OS that had postfix configured.   Release 2.5.8 backup includes the, body and header check files.  NOTE: You may need to get these file from your old appliance if the old appliance release is < 2.5.8
  2. Login to the new appliance and follow the steps below.
    1. ssh admin
    2. sudo -s
    3. unzip the Eyeglass backup used to restore the new appliance configuration on a Window PC , locate the postfix backup files and open in notepad and locate the relayhost line that includes your mail server.
    4. Edit the postfix file on the new appliance
      1. nano /etc/postfix/ 
      2. control + w  enter relayhost press enter, you will need to search 8 times to find the the line without # comment
      3. Fix the relayhost field  with the values from the opened in notepad from the backup file.
        1. Add the value from the backup to the relayhost =   line in the file opened from the ssh session with nano editor  
        2. relayhost = [DNS or ip of your SMTP mail server]:25 (leave the square brackets) 
    5. Re-apply body and header checks prepare new appliance
      1. Open the header_checks and body_checks files from the backup zip file in notepad
      2. From ssh session to new appliance
        1. touch /etc/postfix/body_checks
        2. touch /etc/postfix/header_checks
        3. postconf -e "body_checks = regexp:/etc/postfix/body_checks"
        4. postconf -e "header_checks = regexp:/etc/postfix/header_checks"
    6. Re Apply previous forwarding filtering rules
      1. nano /etc/postfix/body_checks (paste body_checks from notepad to this file)
      2. control + x  answer yes to save and exit
      3. nano /etc/postfix/header_checks  (paste header_checks from notepad to this file)
      4. control + x  answer yes to save and exit 
    7. Activate the configuration
      1. postfix reload
    8. Test email in Eyeglass and test your rules

Advanced Postfix Configuration For SMTP Authentication and TLS Configuration

  1. This section allows configuration of authentication to your mail system and control of TLS options.
  2. NOTE:  Authentication + TLS is the only supported configuration.
  3. NOTE: This assumes you have configured the relay and basic settings in the section above for switching to postfix MTA.
  4. ssh as admin user
  5. switch to root
    1. sudo -s (enter admin password)
  6. Fix the host file to provide a host name for localhost used by postfix mail relay
    1. nano /etc/hosts file, add the Eyeglass hostname fqdn in the localhost section. example: localhost igls01 igls01.ad1.test
  7. Edit the postfix setting for Authentication.
    1. nano /etc/postfix/
    2. Verify the relayhost parameter is set already following steps in the basic configuration section above and change the port to use the TLS port.  control-w type relayhost [enter] and repeat 8 times to find the correct entry.
      1. relayhost = [x.x.x.x]:587   (leave the square brackets)
      2. Replace x.x.x.x with your mail relay host IP or FQDN
    3. Configure Authentication
      1. edit the following parameters for TLS
      2. nano /etc/postfix/   
        1. press control+w  enter sasl [enter] to locate the section for authentication configuration.  Set the settings as per below 
      3. smtp_sasl_auth_enable = yes
      4. smtp_sasl_security_options = noanonymous
      5. smtp_sasl_password_maps = lmdb:/etc/postfix/sasl_passwd
      6. smtpd_sasl_auth_enable = no
      7. Create the password file  /etc/postfix/sasl_passwd  replace the yellow values to match your environment before creating the file.
        1. nano /etc/postfix/sasl_passwd     (enter the line below and change the yellow highlights to match your environment.
        2. [x.x.x.x]:587 user:password
          1. x.x.x.x is replaced with the ip address or host name of your mail relay host
          2. This assumes port 587 is used on your mail relay host which is the default TLS SMTP port. Change the port to match your mail server.
          3. User is the user name for authentication.  Example
          4. Password is the password for this service account user.
        3. Convert /etc/postfix/sasl_passwd into a format that Postfix can read and remove clear text password file:
          1. postmap lmdb:/etc/postfix/sasl_passwd
          2. This creates a file /etc/postfix/sasl_passwd.lmdb 
          3. You can now delete or remove the clear text password in the  /etc/postfix/sasl_passwd
          4. rm /etc/postfix/sasl_passwd  (removes clear text password file, since it is not used by postfix.  The DB file is used to read the user and password. 
        4. Secure the /etc/postfix/sasl_passwd.lmdb file.
          1. The file must be owned by root, and no one else should have read access to that file
            1. chown root:root /etc/postfix/sasl_passwd.lmdb 
            2. chmod 600  /etc/postfix/sasl_passwd.lmdb 
        5. Restart postfix service
          1. systemctl restart postfix 
    4. TLS Configuration for Secure SMTP
      1. nano /etc/postfix/
      2. Control+w type tls [enter]
      3. Locate these sections and configure them to match
        1. smtp_use_tls = yes
        2. smtp_tls_loglevel = 1
      4. Done
    5. This configures authenticated TLS SMTP relay.  Continue with the steps below to debug and test the mail is correctly forwarding from Eyeglass to your SMTP mail system.

How to Debug Postfix mail relay Issues

  1. Verify the mail is correctly being forwarded with authentication by tailing the mail log.
    1. tail -f /var/log/mail
  2. Open the Notification Center Icon in Eyeglass from the main menu options, and send a test email to verify authentication and TLS connections are successful.
  3. Example of a successful TLS SMTP message relay from Eyeglass to external SMTP host with TLS 1.2 enabled.  the 250 OK code indicates successful delivery.  The SMTP error or TLS errors will be visible in this log for debugging.
  1. Check for any queued mail that failed
    1. sudo mailq
    2. any queued mail that failed will be listed with a reason code
    3. To reattempt delivery of the mail use the command below
    4. sudo postfix flush
  2. To provide support with configuration of your postfix configuration use this command
    1. postconf -n

© Superna Inc