Troubleshooting
Problem
SMTP email notifications sent for IBM Security QRadar SOAR and emails sent from the Outbound Email application stopped working with no changes made to SOAR or application configurations.
Symptom
Emails were not sent from SOAR nor the Outbound Email application.
Cause
Mail server or load balancer related problem.
Environment
SMTP email servers sitting behind a load balancer.
Diagnosing The Problem
Investigation of /usr/share/co3/logs/client.log shows the following error when SOAR tries to send an email notification using the configured SMTP server.
Cased by: javax.mail.AuthenticationFailedException: 535 5.7.3 Authentication unsuccessful
Furthermore, the Outbound Email application showed the following error when the Test Configuration button was pressed.
------------------------
Running selftest for: 'fn-outbound-email'
------------------------
fn-outbound-email:
Unable to confirm public certificate has trust for 'emailProtection'. Continuing.
send: 'ehlo [<IP ADDRESS>]\r\n'
reply: b'250-<MAIL SERVER ADDRESS> Hello [<IP ADDRESS>]\r\n'
reply: b'250-SIZE 37748736\r\n'
reply: b'250-PIPELINING\r\n'
reply: b'250-DSN\r\n'
reply: b'250-ENHANCEDSTATUSCODES\r\n'
reply: b'250-STARTTLS\r\n'
reply: b'250-X-ANONYMOUSTLS\r\n'
reply: b'250-AUTH NTLM\r\n'
reply: b'250-X-EXPS GSSAPI NTLM\r\n'
reply: b'250-8BITMIME\r\n'
reply: b'250-BINARYMIME\r\n'
reply: b'250-CHUNKING\r\n'
reply: b'250-SMTPUTF8\r\n'
reply: b'250 XRDST\r\n'
reply: retcode (250); Msg: b'<MAIL SERVER ADDRESS> Hello [<IP ADDRESS>]\nSIZE 37748736\nPIPELINING\nDSN\nENHANCEDSTATUSCODES\nSTARTTLS\nX-ANONYMOUSTLS\nAUTH NTLM\nX-EXPS GSSAPI NTLM\n8BITMIME\nBINARYMIME\nCHUNKING\nSMTPUTF8\nXRDST'
No suitable authentication method found.
send: 'quit\r\n'
reply: b'221 2.0.0 Service closing transmission channel\r\n'
reply: retcode (221); Msg: b'2.0.0 Service closing transmission channel'
selftest: failure
selftest output:
{'state': 'failure', 'reason': 'Failed to send test email with error:No suitable authentication method found.'}
Elapsed time: 0.009000 seconds
ERROR: running selftest for App.
Error Code: 1
The SOAR server returns "Authentication unsuccessful" which is correct, but it doesn't return why SOAR could not authenticate.
The Outbound Email application returns "No suitable authentication method found" which is a better indicator of the problem.
When looking at the authentication methods the mail server supports, AUTH NTLM is returned by the mail server. This is not a supported authentication method of either Outbound Email or SOAR. The mail server needs to support AUTH LOGIN for the username and password used by both applications to work.
reply: b'250-<MAIL SERVER ADDRESS> Hello [<IP ADDRESS>]\r\n'
reply: b'250-SIZE 37748736\r\n'
reply: b'250-PIPELINING\r\n'
reply: b'250-DSN\r\n'
reply: b'250-ENHANCEDSTATUSCODES\r\n'
reply: b'250-STARTTLS\r\n'
reply: b'250-X-ANONYMOUSTLS\r\n'
reply: b'250-AUTH NTLM\r\n'
reply: b'250-X-EXPS GSSAPI NTLM\r\n'
reply: b'250-8BITMIME\r\n'
reply: b'250-BINARYMIME\r\n'
reply: b'250-CHUNKING\r\n'
reply: b'250-SMTPUTF8\r\n'
reply: b'250 XRDST\r\n'
Whilst SOAR returns "Authentication unsuccessful," the real reason was that there was no authentication method in common, the email server didn't support AUTH LOGIN.
The following command, replacing values where needed, when run on the SOAR and App Host CLIs returned different mail servers with different authentication modes. This can be used as part of troubleshooting related problems.
touch /tmp/test.txt
curl smtp://<MAIL SERVER ADDRESS>:25 --mail-from <EMAIL ADDRESS> --mail-rcpt <EMAIL ADDRESS> --upload-file /tmp/test.txt --user '<USER>:<PASSWORD>' -v
Resolving The Problem
The client connected to a load balancer to distribute connections to multiple mail servers. This load balancer address was used in the Outbound Email app.config and was configured using the resutil smtpedit command to send SOAR notifications.
After reconfiguring SOAR using resutil smtpedit, subsequent tests using sudo resutil smtptest -email xxxxx to send a test email to a recipient worked. Test Configuration also worked.
Investigation of the Outbound Email application logs, with debug enabled (loglevel = DEBUG), showed that the load balancer had redirected the application to a different mail server which did support AUTH LOGIN.
An action was taken by the client to investigate why their mail servers are not configured consistently with AUTH LOGIN.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSA230","label":"IBM Security QRadar SOAR"},"ARM Category":[{"code":"a8m0z0000001jmrAAA","label":"Resilient Core-\u003ENotifications"}],"ARM Case Number":"TS016068418","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
24 April 2024
UID
ibm17149323