Alerting

Why am I receiving error "SMTP AUTH extension not supported by server" when trying to configure an alert?

fab73
Path Finder

Weekly Report fires perfectly. SMTP Authentication is correctly configured in General Settings. And it works. Now I'm configuring an Alert base on an event (search result). Log shows me the the trigger works correctly but now I have send mail problem (??).

Python.log shows :

ERROR   sendemail:127 - Sending email. ....
ERROR   sendemail:392 - SMTP AUTH extension not supported by server. while sending mail to: ....

item in splunkd.log :

ERROR ScriptRunner - stderr from '/opt/splunk/bin/python /opt/splunk/etc/apps/search/bin/sendemail.py "results_link= .... ERROR:root:SMTP AUTH extension not supported by server. while sending mail to: ....

Any idea? it seems a permission problem.... The same SMTP is correctly authenticated at it works for the Report, but not in case of the Alert. Any Idea where to check?

0 Karma
1 Solution

fab73
Path Finder

I solved putting the port in the "Mail host" filed in general mail settings !!?? ourmailhost.foo.com:25.
Dont know why it makes difference. It is not a requested value if SSL or TLS is not used. And This is the case.

View solution in original post

fab73
Path Finder

I solved putting the port in the "Mail host" filed in general mail settings !!?? ourmailhost.foo.com:25.
Dont know why it makes difference. It is not a requested value if SSL or TLS is not used. And This is the case.

jkat54
SplunkTrust
SplunkTrust

Probably because the default port for TLS and SSL is not typically 25.

0 Karma

jkat54
SplunkTrust
SplunkTrust

If it works with a report but not this alert then one of the ways that is possible is if the report search is using the | sendemail command and has the correct auth in line, or your alert search is using the sendemail command with the incorrect auth in line.

The error is telling you that the mail server doesn't like the authentication method you are using. Your options are basic, ssl, and ssl with tls.

Please review the report's search and the alert search to see if one of them is using the sendemail command.

Another possibility is if the report or alert is in another Splunk app, check that Splunk app's local and default directories for a file called alert_actions.conf. This file can contain custom email settings and those settings only apply in the app that contains this file.

0 Karma

fab73
Path Finder

thanks anyway for your suggestions

0 Karma

fab73
Path Finder

Thanx in advance....

  1. The search generating the alert does not use any "| sendmail" command. I checked the search string opening "Open in search" on the alert list (correct?):

"| rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search is_active=1 | eval stack_id=stack_ids | fields stack_id] | eval quota=if(isnull(effective_quota),quota,effective_quota) | eval "% di utilizzo"=round(used_bytes/quota*100,2) | fields Pool "% di utilizzo" | where '% di utilizzo'>64"

this query is used to fire an alert when license usage goes over 64%. No sendmail command is here.

  1. Alert is configured in the App seacrh. But there is no alert_actions.conf in App search I suppose it uses the system conf. All alert_actions.conf files are

/opt/splunk/etc/apps/alert_logevent/default/alert_actions.conf
/opt/splunk/etc/apps/alert_webhook/default/alert_actions.conf
/opt/splunk/etc/system/local/alert_actions.conf
/opt/splunk/etc/system/default/alert_actions.conf

Anyway using btool for system config, all seems o be correct as for the Report......still investigating....

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...