Have defined a new non-admin user and already add list_settings capability as instructed by the Splunk document here.
https://docs.splunk.com/Documentation/Splunk/7.2.3/Alert/Emailnotification
But still failed to send alert when mail server is using SMTL auth.
Here is the python.log
2018-09-17 15:21:51,268 +0800 DEBUG ssl_context:444 - createSSLContext sslVersions [16] commonNameList [None] altNameList [None] validatePeerCert [0] rootCAPath [None] isClientContext [True] cipherSuite [ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256]
2018-09-17 15:21:51,295 +0800 ERROR sendemail:137 - Sending email. subject="Splunk testing", results_link="None", recipients="[u'user1@abc.com.hk']", server="172.21.184.4"
2018-09-17 15:21:51,295 +0800 ERROR sendemail:452 - {u'user1@abc.com.hk': (530, 'SMTP authentication is required.')} while sending mail to: user1@abc.com.hk
@daniel_splunk Is there no other way to allow non-admin users to send alert emails when SMTP authentication is required? Are there any other capabilities from the "admin" role that I can assign to the "user" role in order to allow regular users to send email?
I just upgraded from Splunk Enterprise 7.3.3 to 8.05, and one of my non-admin users said that his saved alerts used to be able to send him emails when we were on 7.3.3. Nothing has changed with his Splunk role or the SMTP authentication requirement between our pre- and post-Splunk upgrade.
If your email account is SMTP auth enabled, you need to have admin role in order to read the email auth details such as password.
So, if I understand how sendemail works when SMTP auth is required, a user needs the "admin_all_objects" capability" in order to read auth_username and auth_password from alert_actions.
This means regular users can't send email, as the credentials get passed to SMTP server with null values. These users generally see something like this:
command="sendemail", Connection unexpectedly closed while sending mail to: somebody@something.com.
Is this a feature or a bug?
In my testing, you only needed to have the "list_settings" capability with a "user" role in order for this to work. (Using Splunk Cloud 7.2.9).
See this link: https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Alert/Emailnotification
This section: "Define an email notification for an alert or scheduled report"
You need to have admin role together with list_settings capability in order to send alert email when SMTP auth is used.