SMTP server with authentication

ThreatLockDown email alerts does not support SMTP servers with authentication such as Gmail. However, you can use a server relay, like Postfix, to send these emails. Follow this guide for instructions on configuring Postfix with Gmail.

  1. Run this command to install the required packages. If prompted about the Mail server configuration type, select No configuration.

    # yum update && yum install postfix mailx cyrus-sasl cyrus-sasl-plain
    
  2. Append these lines to /etc/postfix/main.cf to configure Postfix. Create the file if missing.

    relayhost = [smtp.gmail.com]:587
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    smtp_sasl_security_options = noanonymous
    smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
    smtp_use_tls = yes
    
  3. Set the sender email address and password. Replace USERNAME and PASSWORD with your own data.

    # echo [smtp.gmail.com]:587 USERNAME@gmail.com:PASSWORD > /etc/postfix/sasl_passwd
    # postmap /etc/postfix/sasl_passwd
    # chmod 400 /etc/postfix/sasl_passwd
    

    Note

    The password must be an App Password. App Passwords can only be used with accounts that have 2-Step Verification turned on.

  4. Secure your password DB file.

    # chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
    # chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
    
  5. Restart Postfix.

    # systemctl restart postfix
    
  6. Run the following command to test the configuration. Replace you@example.com with your email address. Check, then, that you receive this test email.

    # echo "Test mail from postfix" | mail -s "Test Postfix" -r "you@example.com" you@example.com
    
  7. Configure email notifications in the ThreatLockDown server /var/ossec/etc/ossec.conf file as follows:

    <global>
      <email_notification>yes</email_notification>
      <smtp_server>localhost</smtp_server>
      <email_from>USERNAME@gmail.com</email_from>
      <email_to>you@example.com</email_to>
    </global>
    
  8. Restart the ThreatLockDown manager to apply the changes.

    # systemctl restart wazuh-manager